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Editor’s Comments 


Welcome to volume 11, issue 1 of the Journal of Physical Security (JPS). In addition to the 
usual editor’s rants and news about security that appear immediately below, this issue has 
papers on election security, physical security networks, technology for tracking sealed 
radiological sources, an analysis of active shooter training videos, and whether security 
belongs in the Facility Management (Operations) Department/Division/Section. 


All papers are anonymously peer reviewed unless otherwise noted. We are very grateful 
indeed to the reviewers who contribute their time and expertise to advance our under- 
standing of security without receiving recognition or compensation. This is the true sign of 
a professional! 


Past issues of JPS are available at http://jps.rbsekurity.com, and you can also sign up 
there to be notified by email when a new issue becomes available. 


JPS is hosted by Right Brain Sekurity (RBS) as a free public service. RBS is a small 
company devoted to physical security consulting, vulnerability assessments, and R&D. 


(http://rbsekurity.com) 


As usual, the views expressed in these papers and the editor’s comments are those of the 
author(s) and should not necessarily be ascribed to their home institution(s) or to Right 
Brain Sekurity. 


KK KKK 


Hitting the Wall 


According to news reports, prototypes of the proposed border wall are receiving 
penetration testing by U.S. Special Forces. See, for example, 
http://www.latimes.com/local/lanow/la-me-border-wall-test-20180119-story.html 


Iam unfamiliar with the details, but the reported attack methods, “using jackhammers, 
saws, torches and other tools and climbing devices”, strikes me as remarkably 
unimaginative and unresourceful. But that is often the case with so-called “vulnerability 
assessments” or “security tests”. 


In a recent report, the GAO was critical of the DHS process for developing and deploying a 


border wall. See https://www.gao.gov/assets/700/693488.pdf 


RK KKK 


You're a Jackass! 


Counterfeiting is a huge worldwide problem. Items widely counterfeited include money, 
tickets, sports memorabilia, pharmaceuticals, industrial products, fashion accessories, etc. 


i 
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Now a zoo in Egypt is accused of counterfeiting animals. Cairo’s International Garden 
Municipal Zoo reportedly painted a donkey with stripes in order to pass it off as a zebra. 


See https: //www.bbc.com/news/world-africa-44968509 


Actually, it is not at all unusual for zoos to counterfeit exotic animals. A zoo in Gaza 
purportedly did the same thing with 2 donkeys in 2009. Another Gaza zoo put stuffed 
animals on display in 2012, and a Chinese zoo showed inflatable plastic toy penguins 
instead of real penguins. A different Chinese zoo fraudulently displayed plastic butterflies. 
In 2013, a zoo in China even tried to pass off a Tibetan mastiff dog as an African lion. This 
breed of dog does kind of look like a small lion. You can see for yourself at 


https://www.cnn.com/2013/08/16/world/asia/china-zoo-dog-lion/index.html. The same 


zoo also used foxes to impersonate leopards, anda different dog to stand-in fora wolf. See 


rats-as- eniiieos: 3924517/ 


The Chinese in particular have a long and disgraceful history of counterfeiting. About 70% 
of all fake goods seized worldwide are made in China. 
(https://thediplomat.com/2015/10/chinas-addiction-to-counterfeiting/). The following 
article on “The 5 Most Insane Examples of Chinese Counterfeiting” is particularly 
interesting: http://www.cracked.com/article 19742 the-5-most-insane-examples- 
chinese-counterfeiting.html. 


The issue of whether counterfeiting is a fundamental part of Chinese culture is discussed 
in this thoughtful article: http: 


Another Jackass 


In 2008, a man in Texas was arrested for trying to cash a $360 billion dollar check at a 
local bank. Amazingly, it turned out to be bogus. See 
http: //news.bbc.co.uk/2/hi/americas/7380637.stm 


KK KKK 


Don’t Be Catty! 


In the 1960’s, the CIA tried to recruit cats as spies and bugging platforms. Who could 
have predicted that the cats wouldn’t be very cooperative? See 


KKK K 


Airport Security? 


A purported serial airplane stowaway was arrested in January at O’Hare airport after 
again reportedly sneaking past Transportation Security Administration (TSA) airport 
screeners. She supposedly “used her hair to hide her face and walk past” two TSA agents. 


ii 
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(TSA can hardly be expected to handle such sophisticated and clever adversarial methods!) 
The next day (after sleeping at the airport), this individual reportedly was able to get past 
two British Airways ticket agents at the gate, plus a Customs and Border Patrol Officer, and 
board a plane to England that landed in London with her onboard, even though she lacked 
a ticket. The accused stowaway has a history of successfully sneaking past airport security 
and being a stowaway on planes. This is someone that TSA should hire as a security 
consultant! For more information, see 

http: //www.chicagotribune.com/news/local/breaking/ct-met-serial-stowaway-arrested- 


at-ohare-20180128-story.html 


Speaking of airport security, this article on the 6 Most Hilarious Ways People Breached 
wes Security is somewhat dated, but still entertaining: 


siaoorts sont bts 


RK KKK 


Cheers! 


The Fall 2017 issue of Whisky Advocate has an excellent article on counterfeit liquor and 
how to spot it. Part of the article can be found here: 
http: //whiskyadvocate.com/auctioneer-police-catch-whisky-thief 


KK KKK 


Master Baiters 


The Norfolk Southern Railway apologized for its “bait truck” operation in a Chicago 
neighborhood. This was a cooperative project with the Chicago Police Department. Bait 
trucks were left parked and locked or sealed, then carefully watched for attempted theft of 
their contents. The company acknowledged that the undercover operation “eroded trust 
between law enforcement and the community”. 


Critics have maintained that the operation constitutes entrapment and is meant to target 
minority communities. Proponents argue that this is a necessary tactic to try to counter the 
$27+ million theft of freight each year in the United States. For more information, see 
http: //www.chicagotribune.com/news/local/breaking/ct-met-bait-truck-norfolk- 


southern-apology-20180810-story.html 


KKK K 


Text Analytics 


Frank Partnoy has an interesting article in the Atlantic on text analytics—monitoring 
employees email and text messages (without attribution) to look for organizational 
changes in behavior, attitudes, and morale: 
https: //www.theatlantic.com/magazine/archive/2018/09/the-secrets-in-your-inbox/565745/. 


lil 
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Seems like a good way to shut down channels for employees to vent—maybe not so good 
for insider threats! 


KK KKK 


The Getaway Bike 


Divvy, the bike-sharing service has had to redesign its bike-locking hardware because 
thieves have figured out how to defeat the locks. Chicago police are also having to be on 
the lookout for criminals using rented Divvy bikes in the commission of other crimes. See 
http: //www.chicagotribune.com/news/local/breaking/ct-met-divvy-thefts-20180730- 


story.html 


KK KKK 


Police Cows 


Cows helped police capture a suspect: http://www.newser.com/story/263095/suspect- 
runs-into-pasture-the-cows-werent-having-it.html 


RR KKK 


On Having Good Security 


A sage quote, not about security but that is worth remembering for security: 
.. If learning the truth is [a man’s] goal, [he should] make himself an enemy of all that he 
reads, and, applying his mind to the core and margins of its content, attack it from every side. 
He should also suspect himself as he performs his critical examination of it, so that he may 
avoid falling into either prejudice or leniency. 
-- Alhacen (Ibn al-Haytham) (c. 965 - c. 1040) 


KK KKK 


On Vulnerability Assessments 


A man goes to the doctor complaining that he aches all over, and that everything he 
touches hurts. The doctor says, “OK, touch your elbow!” The man does, and lets out a yelp 
from the pain. “Hmm,” says the doctor. “Try touching your head.” The man complies, and 
grimaces. In fact, everywhere the doctor asks the man to touch clearly causes him great 
pain. The doctor is stumped and orders a complete set of X-rays and diagnostics. He tells 
his patient to come back 2 days later for the results. When the man returns, the doctor tells 
him, “Well, we found your problem.” The man sighs in relief. “OK, then Doc, what is wrong 
with me?” “You have a broken finger,” says the doctor. 
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On Security “Testing” 
There are more things in heaven and earth, Horatio, 


Than are dreamt of in your philosophy. 
-- William Shakespeare (1564-1616), Hamlet, scene v 


KK KKK 


On Threat Assessments 


Why do zombies eat brains? It’s actually a complex issue. For a thorough analysis, see 
“Why Zombies Eat Brains”, 
://www.todayifoundout.com/index.php/2014/12/zombies-always-depicted-brain- 


KK KKK 


-- Roger Johnston 
Oswego, Illinois 
August 2018 
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Scanners, Hashes, and Election Security 
Paul Burke 


http://Votewell.net 


COUN TING 
THERE 's 


este 
NGIkK 


ABSTRACT 


Thomas Nast Harper’s Weekly 1870 


THATS WHATS THE MATTER 


Election security is a challenge. We cannot stop hackers mv» = sents von wham ym gine Oshon WP mt 
with 100% assurance, so paper ballots are the first defense. 
They are not enough, because hand-counting 100 million ballots would be a nightmare if a 
widespread hack changes winners all over the country. The second defense is to scan those paper 
ballots, as some election jurisdictions already do. Scanning fixes several problems. Digital signatures, 
or hash values, will ensure reliable scans and copies. Storing these copies separately will foil break- 
ins, fire, flood, and insider risks. The copies can be independently counted, and attackers cannot 
subvert them all. Scans remove barriers which make election audits hard. Scans address risks in 
election machines. These do not go online, but they can be hacked when they are at the manufacturer, 
when they get annual updates, when they wait unguarded in precincts, and when results are copied 
out electronically for posting on the web. We need to work with these machines, since they cost 
millions to replace. I look at audits and hand-counts in California, Colorado, Florida, Georgia, 
Maryland, Nevada and Washington. Scans and independent counts will reveal when official counts 
are wrong, and will let us recover. 


ELECTION AUDITS 


One widely discussed method for better election security is to have paper ballots and a "risk- 
limiting audit" of a small number of contests, along with 100% hand-count of any contests where an 
audit finds different winners from official counts.1 


Manual audits, even of just a few contests, are too time-consuming to do on election day, so ballots 
need to be stored securely until the audit. But secure storage is hard. Many different people may be 
authorized to be in public buildings. Locks can be picked. Keys can be copied or stolen. Tamper- 
evident seals can be counterfeited, spoofed, or replaced, or simply cut to destroy trust. Security 


1 Adida, Ben and 102 other signatures. (2017-06-21). "Dear Member of Congress." National Election Defense Coalition 

Hoffman-Andrews, Jacob, 2016-12-16, "Voting with Risk-Limiting Audits: Better, Faster, Cheaper" Electronic Frontier 
Foundation. 

Presidential Commission on Election Administration. (2014-01). The American Voting Experience: Report and 
Recommendations. 

American Statistical Association. (2010-04). "Statement on Risk-limiting Auditing." 

Lindeman, Mark, Mark Halvorson, Pamela Smith, Lynn Garland, Vittorio Addona, Dan McCrea. (2008-09-01). Principles and 
Best Practices for Post-Election Audits". Brennan Center for Justice et al. 

2 Johnston, Roger G and Jon S. Warner. (2012). "How to Choose and Use Seals" Army Sustainment, 

Appel, Andrew. (2011). "Security seals on voting machines: a case study", ACM 

Coherent Cyber, Freeman, Craft McGregor Group (2017-08-28). "Security Test Report ES&S Electionware 5.2.1.0" California 
Secretary of State. Page 12. 
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systems can be hacked before and after delivery. All states have inadequate laws on ballot security.3 
Election officials overlook threats from insiders, who can be blackmailed, bribed, tricked, or simply 
make mistakes. People also keep adding security rules* and overlook the difficulty of actually 
following all security procedures. Organizations do not want to learn their vulnerabilities, so 
intrusions are "crazy easy".5 Security recommendations for elections include preventing access by 
anyone working alone,¢ which would typically require at least two hard-to-pick locks, and no one 
person having keys to both locks. Election staff can find this level of security insulting, and in historic 
courthouses do not want to keep drilling holes for better locks. 


Cuyahoga County, OH (Cleveland) election workers entered storage rooms in advance and secretly 
went through the ballots to make public audits appear problem-free. In court these staff "countered 
that the board had always done things that way - with the knowledge of its attorney,"7 Broward County, 
FL (Fort Lauderdale) elections staff erroneously destroyed ballots before the law allowed, and while 
a court case for them was pending.’ Kennesaw State University, which managed Georgia's elections, 
erased election records after a court case was filed, and erased the backup after the case moved to 
federal court.? The Clark County, NV (Las Vegas) Registrar of Voters opened the ballot boxes in secret, 
did a secret recount before the public one, and hid the results.1° The Registrar said, "You're asking 
what my results were when we practiced? I can't tell you that." 


Do we need to back up ballots? What can go wrong? As far back as 1994, election machines were 
hacked in the election which put Nelson Mandela in power; we know because the hacker(s) increased 
counts fast enough to notice, and the election manager revealed it 15 years later.1! In 2014, election 
machines were hacked in Ukraine; we know because officials saw the virus, fixed it, and reported it 
the next day.!2 In 2016, VR Systems in the US, which manages voter registration and online results,!3 
was hacked; we know because the NSA wrote a secret report eight months later, and a decorated Air 
Force veteran, Reality Winner, sacrificed her freedom to leak the report.14 


Federal investigations do not correct elections in time. Official guidance from the Justice 
Department since 2007, and confirmed in December 2017, does not allow any overt investigation 


3 Benaloh et al. (2017). Public Evidence from Secret Ballots. in Electronic voting : second International Joint Conference, E- 
Vote-ID_ 2017, Bregenz, Austria, October 24-27, 2017, proceedings (PDF). Cham, Switzerland. p. 122. ISBN 
9783319686875. OCLC 1006721597 

4For example Colorado's security rules are divided among 14 pages at "8 CCR 1505-1 Rule 20. County Security Procedures." 
and 9 other sets of rules listed at "Chapter 18: County Security Procedures." Colorado Secretary of State. 

5 Seivold, Garett (2018-04-02). "Physical Security Threats and Vulnerabilities - LPM". losspreventionmedia.com. 

6 Lindeman, Mark, Mark Halvorson, Pamela Smith, Lynn Garland, Vittorio Addona, Dan McCrea (2008-09-01). "Best 
Practices: Chain of Custody and Ballot Accounting, ElectionAudits.org" Brennan Center for Justice et al. 

7 Turner, Karl. (2007-11-5). "Elections board workers take plea deal." Cleveland Plain Dealer. 

8 Singhal, Raag. (2018-05-11). "Order on Plaintiff's Motion for Summary Judgment." Circuit Court of the 17% Judicial District. 
CACE17-010904(21) 

Friesdat, Lulu. (2017-12-10). "Was the Heated 2016 Democratic Primary Rigged for Debbie Wasserman Schultz?" Alternet. 


° Gumbel, Andrew. (2018-08-13). "Why US elections remain ‘dangerously vulnerable’ to cyber-attacks." The Guardian. 

10 RecountNow. (2017-01-11). "Report on the 2016 Presidential Recount in Clark County, Nevada." Page 20. 

11 Harris, Peter. (2010). Birth: The Conspiracy to Stop the '94 Election. Penguin. Page 276. 

Laing, Aislinn. (2010-10-24). "Election won by Mandela 'rigged by opposition'." The Telegraph. 

12 Clayton, Mark. (2014-06-17). "Ukraine election narrowly avoided 'wanton destruction’ from hackers" Christian Science 
Monitor 

13 Sherman, Amy. (2016-10-19). "Premature posting of election results was mistake, not a crime." Miami Herald. 

14 Savage, Charlie. (2017-06-05). "Intelligence Contractor Is Charged in First Leak Case under Trump." New York Times. 

Fessler, Pam. (2017-07-31). "Timeline: Foreign Efforts to Hack State Election Systems and How Officials Responded." 
National Public Radio. 
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until an election is over and results are certified.15 Only then do they explore "countervailing 
considerations" before deciding whether to tell the public.16 


Air-gapped computers in the electric grid,!” CIA,!8 and NSA!9 have been hacked, and they have far 
better defenses than election machines. On average, it takes 200 days to detect malware, and Rich 
Barger, a private security expert says, "We have to operate knowing that they're going to get inside 
sometimes... [we need] to limit a hacker’s ability to maneuver and creat[e] better ways to detect."2° 
Hacked machines can easily give correct results in "Logic and Accuracy" tests of a few ballots, and 
wrong results in large-scale use. 


SCANNING BALLOTS 


This paper explores a way to use scans of ballots to bypass storage failures, bypass bugged or 
hacked vote-counting, and allow recovery at lower cost than hand-counts. The paper is written with 
the United States in mind, but applies in any place where people can doubt election results. 


Risk-limiting audits shift election vulnerability away from certified vote-counting machines, and 
onto ballot storage, off-the-shelf vote-counting machines, and difficult 100% hand-counts. I suggest 
that we shift to scanners because they are far simpler to defend than storage, vote-counting 
machines, and hand-counts. In particular, I propose: 


e Electronically scanning paper ballots right after the election. 

e Calculating a digital signature or hash value to identify true copies of the scan. 

e Distributing the scans and hash values widely enough for later independent checking of 
election results. 


People can print or electronically count these scans to check official counts. They can audit these 
scans too. There are multiple issues associated with scanning: 


1. Humboldt County, CA, has scanned ballots with open source software since 2008, several days 
after each election. They found 200 ballots lost by the election machines the first time they 
scanned.21 


2. Humboldt provides a digital signature or "hash value" for each file of ballot images. The hash 
value is along number, calculated from the ballot images, so any change in the file gives a different 
hash value, revealing that the file was changed.22, Rescanning the same ballots also gives a 


15 Pilger, Richard, editor. (2017-12). "Federal Prosecution of Election Offenses." Justice. Page 84. 

Donsanto, Craig and Nancy Simmons. (2007-05-07). "Federal Prosecution of Election Offenses." Justice. Page 92. 

16 Raman, Sujit et al. (2018-07-19). "Report of the Attorney General's Cyber-Digital Task Force. Justice. Page 17. 

17 Bade, Gavin. (2018-07-24). "Russian hackers infiltrated utility control rooms, DHS says." UtilityDive. 

Greenberg, Andy. (2017-09-06). "Hackers Gain Direct Access to US Power Grid Controls." Wired. 

18 Derespina, Cody. (2017-03-07). "WikiLeaks releases ‘entire hacking capacity of the CIA'" Fox News. 

19 Condliffe, Jamie. (2016-08-18). "Security Experts Agree: The NSA Was Hacked." MIT Technology Review. 

Shane, Scott, Nicole Perlroth and David E. Sanger. (2017-09-12). "Security Breach and Spilled Secrets Have Shaken the N.S.A. 
to Its Core." New York Times. 

20 Barger, Peter, quoted in Brendan Koerner. (2016-10-23). "Inside the Cyberattack that Shocked the US Government." 
Wired. 

21 Zetter, Kim (2008-12-08). "Unique Transparency Program Uncovers Problems with Voting Software". Wired. 

22 Wenzel, Maira et al. (2017-03-29). "Ensuring Data Integrity with Hash Codes." Microsoft. 
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different hash value, from dust and variations in image position, so a hash value identifies a 
specific scan, done at one time. 


3. The private company Clear Ballot scans ballots in 7 Florida counties?3 and 6 Vermont towns,24 
though their scanned files could be improved by having hash values.25 Florida law lets counties 
choose between (a) hand-counting one contest in 1%-2% of precincts, or (b) scanning and 
machine-counting all contests in 20%-100% of precincts.26 Seven counties chose the thorough 
scanning over the 2% hand-counting. When the Vermont Secretary of State began scanning, he 
was able to expand his audits from two contests to all contests, and from 4 towns to 6 towns.?27 


4. Election scanners need to have as little software as possible, converting light and dark marks on 
the paper to ballot images, advancing to the next ballot, creating multiple thumb drives, and 
calculating a hash value of the image file, with a public algorithm. All these functions can be ina 
ROM chip, provided the maker (a) publishes another hash value of the software, (b) gives officials 
and observers a port on the circuit board or other way to validate that the chip in each scanner 
during an election has the right hash value, and (c) lets outsiders read the source code, verify it 
does only what it says, and verify the compiled version has the published hash value. Testing the 
code is not enough, they need to read it because the National Institute of Standards and 
Technology has told the Election Assistance Commission that, "experience in testing software and 
systems has shown that testing to high degrees of security and reliability is from a practical 
perspective not possible."28 


5. Inthe short term, in a few places, off-the-shelf scanners can be used. They are not a big target for 
hacking, since they are rarely used in elections, are rarely updated, and do not sit unguarded in 
precincts. In the longer term, hash values are needed for scanners. Hash values are not practical 
for certified election systems, because those systems use many PC software components, which 
are hard to validate on election day. 


6. Independent vulnerability researchers have critiqued the vulnerabilities of certified software, 
and need to do the same for scanners and hash values. Development will need close cooperation 
with makers of scanners. 


7. Scanning right after the election minimizes risks of ballot storage, such as fire, water damage and 
break-ins to add, remove or change ballots, change other records, or even just break seals. 
Scanning the day after the election involves one night of storage. Scanning on election night can 
be even better, but it adds another sensitive task to a stressful day when election officials already 


23 Stofan, Jake. (2018-04-25). "Leon County among Florida precincts to implement Clear Audit for elections." WCTV. 

Clear Ballot (2016-12-14). "Clear Ballot's Audit of Florida's Presidential Election Results a Success." 

24 Elder-Conors, Liam. (2016-11-23). "Vermont Secretary of State's Office to Audit Election Results from 6 Towns." Vermont 
Public Radio. 

Vermont Secretary of State. (2014-11-17). "Secretary of State Jim Condos to conduct election audit." 

25 Clear Ballot. (2018). "ClearAudit." 

Professor Poorvi Vora critiqued Maryland's transfer of ballot images without hash values (2016-11-06). "Exhibit B." Pages 
20-23 in Lamone, Linda H. (2016-12-22). "Joint Chairman's Report on the 2016 Post-Election Tabulation Audit." 
Maryland State Board of Elections 

Dion, Deborah. (2018-05-14). "We Just Defeated the Supervisor of Elections in Court!" Tim Canova for Congress. 

26 Florida Statutes. (2016). "101.591 - Voting system audit." 

Florida Administrative Rules (2014-01). "1S-5.026 Post-Election Certification Voting System Audit." Sections (4)(c)3. and 
(4)(d)3. 

27 Moretti, M. Mindy. (2016-12-08). "Maryland conducts first statewide audit of election results." electionlineWeekly. 

28 Security and Transparency Subcommittee. (2006-11). "Requiring Software Independence in VVSG 2007: STS 
Recommendations for the TGDC." Technical Guidelines Development Committee, NIST 


10. 


11. 


12. 
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wake before dawn to respond to problems opening the polls, ranging from broken equipment to 
missing extension cords. Leon County (Tallahassee), and probably other Florida counties, scan 
each day of early ballots on the next day, and election-day ballots on the next two days, 
Wednesday and Thursday. If people mistrust a night of storage, they can arrange observers to 
watch it. 


Scanning can be centralized in each jurisdiction, since at least some elections already have good 
security to transport ballots from polling places, such as by convoys of different party members. 
Large counties can use several scanning centers. The alternative, scanning at each polling place, 
would require software verified in geographically dispersed scanners and reliable distribution of 
the copies and hash values from each polling place, which seem unlikely. Maryland found that 
precinct scanners, which were part of the official election system, varied in image quality, with 
flawed sensors and dirt creating a black line through the voters' choices, and causing the false 
impression of overvotes.2? Washington found that a faulty sensor in a precinct scanner created a 
white line down the page. This, combined with software decisions, caused voters’ choices to be 
ignored.2° 


Each hash value can be made public, since it reveals no one's vote. It needs to go directly to 
enough reliable witnesses, so that when election thieves offer other hash values, compatible with 
other purported scan files, the public and courts can know which is right. 


Making scans public is not required and would risk voter privacy. If someone gives money to an 
uncommon mix of candidates, such as very conservative national candidates and very liberal local 
candidates, or supports an uncommon mix on social media, her ballot can be found in a public 
release of ballot scans, revealing all her other unknown choices. Processing ballots to show each 
contest in a separate file, in random order, would protect her privacy, but requires processing in 
a computer, with its scope for hacking. 


If scans are not made public, the scans need to go to enough officials so every losing candidate 
and most of the public has someone they trust to read the scan and find the correct count. These 
may be elected or appointed officials of all parties or factions, foreign election supervisors, judges, 
respected academics who can keep the scans secure, etc. The breadth of distribution measures 
the willingness of election officials to have their honest errors checked. The advantage of digital 
copies is that enough copies are easily made, and stored in multiple officials’ safes, so subverting 
them all is far harder than cutting a few ballot seals to make the original ballots untrustworthy. 


When counts from the scan show a different winner from official counts, independent holders of 
the scan will consult and if necessary go to court to correct official counts. This does not ensure 
courts decide correctly, but makes clear if they did or did not. The paper ballots can still be hand- 
counted, but after a long period of storage, they are more suspect than a rigorous election scan 
right after the election, and far harder to count accurately, though the public will need to decide 
if hand-counting is worth it. 


29 Walker, Natasha. (2017-02-13). "2016 Post Election Audits in Maryland."U.S. Election Assistance Commission’s Technical 


Guidelines Development Committee. 


Ryan, Tom and Benny White. (2016-11-30). "Transcript of Email on Ballot Images," Pima County, AZ email concerning 


Maryland experience. 


Lamone, Linda H. (2016-12-22). "Joint Chairman's Report on the 2016 Post-Election Tabulation Audit." Maryland State 


Board of Elections. 


Maryland State Board of Elections. (2016-10-04). "Post-Election Tabulation Audit Pilot Program Report." 
30 Gideon, John. (2005-07-05). "Hart InterCivic Optical-Scan Has a Weak Spot." VotersUnite. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


20. 
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Scans can have risk-limiting audits, and discrepancies should lead to investigation about whether 
the storage or the scan failed. 


Election machines themselves often create and store scans,?! but these are not independent 
copies, and they lack hash values. Bugs and hacks at election vendors can change these scans. 
Professor Halderman at the University of Michigan maintains that a graduate student could write 
a program to hack the scans.32 The California Secretary of State hired Jacob Stauffer to evaluate 
election machines in 2016, and his staff changed scans made by these machines without the 
system noticing them.?3 


The scanner should not count ballots, since counting requires a lot of error-prone software to 
identify contests. The election authority can offer software to count the scans, as Trachtenberg 
in Humboldt County and FreeandFair do.34 Value comes from independent holders of the scans 
choosing independent software to count the scans. 


Early voting and mailed ballots received before or after election day, can be handled by scanning 
each day or by storage. Storing unscanned ballots (as we do now) raises the risk of harm to them. 
On the other hand, scanning them immediately and storing scans raises the risk of someone 
counting a scan prematurely, announcing a result and discouraging remaining voters. This can 
be prosecuted, so is the smaller risk. It is no worse than the present ability to read counts from 
voting machines every day. Provisional ballots can be scanned with a hash value after they are 
approved. 


Counting software displays the most ambiguous marks from scans, so humans can review them 
without knowing who will gain or lose a vote. This is a sample from Clear Ballot.35 
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Voters need to be told if election machines and scanners cannot detect some colors such as pale 
blue and red. Voters can still use undetectable, disappearing, or color-shifting inks, just as they 
can cast blank ballots, and the effect is the same. 


Election officials track the number of ballots voted at each polling place. These totals can be used 
as a check on the scans of actual ballots only if the tracking is as public as the ballot boxes, and if 
the totals are widely distributed right after the election so these totals are as reliable as the scans. 


Scanners priced around $4,000 process 100 or more ballots per minute, both sides at once, or 
5,000 per hour.36 Ballots with more than two sides will take longer. Renting cuts the cost.3” 


31 Harris, Bev. (2016-11-25). "The Brakey Method." BlackBoxVoting. 


32 Alex Halderman, (2017-08). "Recount 2016 Report with Jill Stein and Alex Halderman." Democracy Convention. 


youtu.be/JzH3qhpuxEQ?t=2095s 


33 Stauffer, Jacob (2016-11-04), page 4. "Vulnerability & Security Assessment Report Election Systems &Software's Unity 


3.4.1.0" Verified Voting. 


34 Trachtenberg, Mitch. (2013-11-23). Democracy Counts 
Free & Fair. (2018). "Open and Free Election Technology." 
35 Walker, Natasha. (2017-02-13). "2016 Post Election Audits in Maryland."U.S. Election Assistance Commission’s Technical 


Guidelines Development Committee. 


36 "High Speed Scanners." Scantastic 


37 "RentScan." Fujitsu. 
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About 26% of US counties have less than 5,000 ballots, and 67% have less than 20,000.38 The 
largest, Los Angeles, has 2,300,000 precinct ballots and 1,200,000 mailed ballots.29 They could 
use 30 scanners to finish in two shifts, or faster scanners. Scanning would save them the extreme 
burden of hand-counting 3,500,000 ballots in case of problems. 


21. The concept of a paper ballot includes paper marked by voters, or paper printed by a computer 
as long as the voter can check that the printout is correct. Many machines in the United States 
print ballot choices on a continuous roll of paper behind a window, where voters can see and 
check just their own choices.4° Scanners have sheet feeders. Some scanners can accept 
continuous rolls of paper but may need extra engineering to provide spindles for the source and 
take-up reels,*1 like the scanners for player piano rolls.42 


AUDITING BALLOTS BY HAND 


European elections often have just one parliamentary or council race on the ballot and are 
relatively easy to count by hand on election night. Elections in the United States and many other 
countries have multiple contests on the ballot, so computers count them. Hand-audits have been used 
to find computer errors. 


About 28 states audit state-wide contests, 19 do so by hand, and 11 of these expand to 100% hand- 
counts and revise the outcome if the samples find problems (AK, AZ, CO, DC, MN, MT, NC, NM, OR, RI, 
WV).43 Four other hand-count states investigate, so they may find problems in storage, computers 
or hand-counts (MO, UT, VA, WI). Only 2 states check all local contests by hand (AK, WV). Several 
states, like California, just report discrepancies without necessarily taking action. Most election 
audits cover too few precincts to be reliable. Maryland hires Clear Ballot to recount ballot images 
created by Maryland's official system.*+ Clear Ballot counts voter marks or bar codes on the ballot 
images. It does not read the candidate names nor go back to the original paper ballots.45 


In the modern world, samples are valuable when they are cheaper or more accurate than collecting 
complete data, for example testing products to destruction, or long interviews. Complete data are 
better when they are more affordable and accurate than samples, or when every case matters, for 
example school attendance, airplane inspections, and scanned files of ballots. We do not just inspect 
big important airplanes every time they take off, or 3% of airplanes; we inspect them all. 


Hand-counts and audits, like scanners, have multiple issues: 


38 Figures are only approximate, since they are based on the 2016 national vote as a fraction of the national population, 
applied to each county's population. This is too low for counties with high turnout or more adults, and vice versa. Over- 
and under-estimates may not balance. 

39 California Secretary of State. (2016-12-16). "Statement of Vote." 

40 For example the Ivotronic: "Election Systems and Software (ES&S) iVotronic." VerifiedVoting. Its paper roll is 82 feet long: 
"{Votronic Communication Pack Rolls." Intab. 

41 Fujitsu fi7600 can process up to 200 meters of paper tape without cutting it, breaking it into images of any length up to 
34". Normal speed is 100 pages per minute, or 850 inches per minute, so 82 feet in 1.2 minutes, $4,155 at scantastik. 

Contex IQ 2490 can pull through at 14 inches per second, so 82 feet in 1.2 minutes, $3,895 at scantastik. 

HP T830 can process 4.5 inches per second, so 82 feet in 3.6 minutes, $3,245 list. 


42 Spencer's E-Rolls 
43 VerifiedVoting. (2018). "State Audit Laws Searchable Database." 


"Election Audit Practices, by state." Sortable list 

44 Maryland Board of Elections. (2018). "2018 Primary Election: Post-Election Ballot Tabulation Audit." 

45 Vora, Poorvi. (2016-11-06). "Exhibit B." Pages 20-23 in Lamone, Linda H. (2016-12-22). "Joint Chairman's Report on the 
2016 Post-Election Tabulation Audit." Maryland State Board of Elections 
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A. Ballots must be physically secure from election day until the audit, as already discussed. I have 
not found any comparison of physical security around the country. Jurisdictions vary. Audit 
advocates such as Professors Stark and Wagner of Berkeley recognize the need to investigate if 
physical security was maintained, *° but do not accept how hard it is, nor advise how to recover 
the election when seals are broken or not checked, or when the storage room has a single lock, 
regardless of how few or many people have keys to that lock. 


B. Samples in risk-limiting audits are designed to leave some fraction of erroneous results 
undiscovered; for example 9% in Colorado in 2017 and 5% in 2018.4” The smaller the limit, the 
bigger the samples needed, especially in close elections. On any election day some elections are 
close and require large samples for reliability. Maryland decided not to use risk-limiting audits, 
because of the high cost of auditing close contests.48 


C. For most contests, risk-limiting audits do not need big samples, so it is surprising they audit only 
a few contests in each election (Table 1). Colorado audited 50 out of 500 local contests in 2017, 
one in each county, and checked none of the closest contests.*9 In the 2018 primary, they chose 
one contest in each party in each county, again without choosing any close contests,>° and the 
Secretary of State says explicitly it is not a random process,>! so the contests are not a 
representative sample. An alternative which checks all results is safer. 


Table 1. Risk-Limiting Audits 


Neer oe Long Distance 
Contests Independent Count of ernae 
Year Place . Transmission of 
Audited Ballots 
Ballots or Images 
per Ballot 
2018 | Colorado 1 F Internet, with hash 
017 | Colorado Secretary of State, no details alee 
2016 Carrall = Mpnteomeny 3 No check, used official count | None, local 
Counties, MD 
2011 | Orange County, CA 1 No check, used official count | None, local 


Humboldt County, CA TEVS*2 None, local 


Not needed, polling audit 
2011 | Monterey County, CA 1 with enough ballots to check | Not needed 
total independently 
Ventura County, CA 1 Car + driver 
2011 | San Luis Obispo County, CA 2 ; 
2011 | Stanislaus County, CA 1 OpenCount, run by UCSD re oe 
2011 | Alameda County, CA 4 graduate student? oe a ne 
2011 | Merced County, CA 2 
2012 | Marin County, CA 2 


46 Stark, P.B. & D.A. Wagner. (2012). "Evidence-Based Elections" [EEE Security & Privacy. 

47 Colorado Secretary of State. (2018-05-25). "2018 RLA Background." 

48 Maryland State Board of Elections. (2016-10-04). "Post-Election Tabulation Audit Pilot Program Report." Page 27. 

49 Audited contests are listed at sos.state.co.us/pubs/elections/auditcenter.html 

All contests are listed in votewell.net/count.xlsx from results.enr.clarityelections.com/CO/71802/Web02-state/#/ 

50 Colorado Secretary of State. (2018-07-05). "Target contests for risk-limiting audits, Rev. A." 

51 Williams, Wayne. (2018-07-06). "2018-01. Target Contests for Risk-Limiting Audits of 2018 Primary Election." Colorado 
Secretary of State. 

52 Trachtenberg, Mitch. (2013-11-23). Democracy Counts 

53 Wang, Kai et al. "Operator-Assisted Tabulation of Optical Scan Ballots." USENIX. Later developments at Free & Fair 
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D. Efficient audits, as in most of Colorado, test if paper ballots match the voting machine records for 
those ballots to find any discrepancies. Audits also need to test if the machine records were 
counted correctly to get the official counts. Thus, audits need a bug-free, hack-free, independent 
count of the machine records, as stated by Professor Stark in his "Gentle Introduction to Risk- 
Limiting Audits."54 Audit advocates have not described a way to count independently. Table 1 
shows what has been done so far. Colorado counties transmit election machine records over the 
internet to the state with hash values®5 so the state can count them independently. "[T]here is no 
publicly observable means to verify" this count, according to prominent experts, professors 
Lindeman, Rivest, Stark and McBurnett.°° Maryland's test of risk-limiting audits5’ used their 
official counting software, so it had no independent count. 


E. In California's test of risk-limiting audits, most counties created ballot images and sent them toa 
graduate student at the University of California at San Diego (UCSD) for independent counting. 
The final report said Ventura used a car and driver to deliver the ballot images, because its 
internet upload failed, which implies other counties uploaded to the internet.58 The report does 
not mention hash values or UCSD's computer security. If someone was skilled enough to hack an 
official 2011-12 election in California, she could hack the internet transmission or the UCSD 
independent count, and ensure audit results confirmed the hacked official count. The California 
pilot study very publicly compared a sample of ballots to images in each county, but there would 
be no errors in those images to detect, if the hack was during transmission or in the UCSD count. 


F. This hypothetical UCSD hack applies anywhere. Any computer able to receive and count 
thousands or millions of ballots has multiple people, an operating system, drives, software, all 
with patches and zero-days®? which criminals can use to change the counts. Undetectable 
approaches to hack counting software include a vote-stealing virus like the example written by 
Feldman, Halderman, and Felten at Princeton © or a counterfeit version of SQL or other counting 
software, like the counterfeit which a Lithuanian researcher, Tomas Meskauskas, found for 
Chrome.®! If the counting computer is air-gapped during an election, the virus or worm has to be 
smart enough to hitch a ride into the system and operate on its own, like Feldman et al. (or 
Stuxnet®3). If it is not air-gapped, hackers will use a zero-day to install a backdoor and monitor 
and control it remotely. Once installed, bad software can take instructions from a ballot: perhaps 
a write-in with a key pattern of letters. The approach in this paper is to cut the risk of hacked 
counts by using more secure scanners, and giving scans to several independent officials for 
independent counting with different software on different computers, maybe new ones, so it is 
hard to hack them all. 


54 Stark, Philip (2012-03-16). "Gentle Introduction to Risk-limiting Audits" JEEE Security & Privacy, p.3, section III B(i). 

55 Colorado Election Rule 25.2.2 (f)(2) 

56 Lindeman, Mark, Ronald L. Rivest, Philip B. Stark and Neal McBurnett (2018-01-03). "Comments re statistics of auditing 
the 2018 Colorado elections" Colorado Secretary of State. 

57 Maryland State Board of Elections. (2016-10-04). "Post-Election Tabulation Audit Pilot Program Report." Page 16. 

58 California Secretary of State. (2014-07-30). "Post-Election Risk-Limiting Audit Pilot Program 2011-2013, Final Report to 
the United States Election Assistance Commission." Pages 12-13, 16. 

59 Zetter, Kim. (2014-11-11). "Hacker Lexicon: What Is A Zero Day?" Wired. 

60 Feldman, Ariel J., J. Alex Halderman, and Edward W. Felten (2006-09-13). "Security Analysis of the Diebold AccuVote-TS 
Voting Machine." Princeton University Center for Information Technology Policy. 

61 Newman, Jared. (2015-10-19). "Tricky new malware replaces your entire browser with a dangerous Chrome lookalike." 
PCWorld. 

62 Feldman, Halderman, and Felten (2006-09-13) op. cit. 

63 Kushner, David. (2013-02-26). "The Real Story of Stuxnet." JEEE Spectrum 
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G. When an audit suggests a machine bug or hack has reversed the winner in any contest, audit 
supporters want a 100% hand-count to confirm the new winner. They need to offer 
alternatives. 100% hand-counts are so burdensome in a large jurisdiction such as a state that it 
is understandable most states have not adopted rigorous audits. Audit advocates perhaps think 
reversed winners will never be common. Optimists! 


H. Scans offer benefits for risk-limiting audits. They allow multiple independent counts to foil 
hackers. They also protect audits from the cost of 100% hand-counts. When a scan changes a 
result, an audit will confirm either the scan or the original count, so there will be no need for a 
100% hand-count to confirm winners. 


I. Hand-counts can break down in many ways. Hand-counters may know the machine record they 
need to match. Colorado explicitly let counting staff see the machine record while auditing each 
paper ballot. California did too in a 2011-2012 test.66 Maryland did not in a 2016 test.” Staff 
have been known to access ballots in advance, secretly, so they can select or change ballots to 
match erroneous machine results.®8 


J. Hand-counts rarely let the public or even candidates check the hand-counters, according to 
VerifiedVoting's list of state audit procedures.£? Looking over their shoulders or through a 
camera is rarely allowed and would be very time-consuming for the checkers, so hand-counters 
can change results, even by mistake. Usually one person reads votes to another who tallies, so 
either can change the count.”° Pairs doing each task would be slightly safer, but busy clerks resist 
the doubling of staff time. Minnesota law requires ballots to be sorted into a pile for each 
candidate, then counted, which allows fairly easy checking. They are sorted again for each 
contest.’7! Effective observers can also slow the process when they question judgment calls by 
counters on light marks and ambiguous marks. 


K. Hand-counts in New Hampshire contests from 1946 - 2002 showed an average error rate under 
1%.72 However, one town had errors up to 20%. A 2016 Indiana race had errors of 3%. 4%, 13%, 
24%, and 27% for different candidates. This was due to omitting absentee votes, double 
counting, and mis-counting groups of five tally marks.73 


64 Stark, Philip (2012-03-16). "Gentle Introduction to Risk-limiting Audits" JEEE Security & Privacy. Section III, pp. 2-4. 

American Statistical Association. (2010-04). "Statement on Risk-limiting Auditing." 

Lindeman, Mark (executive editor), Jennie Bretschneider, Sean Flaherty, Susannah Goodman, Mark Halvorson, Roger 
Johnston, Ronald L. Rivest, Pam Smith, Philip B. Stark (2012-10-01). "Risk-Limiting Post-Election Audits: Why and 
How". University of California at Berkeley. 

65 "Post-Election Audit." 8 CCR 1505-1 Rule 25.2.3 (a)(1). Colorado Secretary of State. 

66 California Secretary of State. (2013). "Post-Election Risk-Limiting Audit Pilot Program 2011-2013, Final Report to the 
United States Election Assistance Commission." Pages15-17. 

Marin County Elections Department. (2012). "Report on Post Canvass Risk Limiting Audit." In California Secretary of State. 
(2013). Appendices to Final Report [to EAC]. Page 89 

67 Maryland State Board of Elections. (2016-10-04). "Post-Election Tabulation Audit Pilot Program Report." Page 15. 

68 Harris, Bev. (2016-11-25). "When Is a Recount a Sham?" BlackBoxVoting. 

Turner, Karl. (2007-11-5). "Elections board workers take plea deal." Cleveland Plain Dealer. 

69 VerifiedVoting. (2018). "State Audit Laws Searchable Database." 

70 Maryland State Board of Elections. (2016-10-04). "Post-Election Tabulation Audit Pilot Program Report." Pages 16, 18. 

71 Minnesota Secretary of State. (2018). "Post-Election Review Guide." Page 24. 

72 Ansolabehere, Stephen, and Andrew Reeves. (2004-01). "Using Recounts to Measure the Accuracy of Vote Tabulations: 
Evidence from New Hampshire Elections 1946-20021." CALTECH/MIT Voting Technology Project. 

73 Beilman, Elizabeth, (2016-02-10). "Jeffersonville City Council At-large recount tally sheets show vote differences." News 
and Tribune, Jeffersonville, IN. 
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When the number of stored 
ballots does not match election- 
day records, either can be wrong 
and a later audit cannot tell the 
difference. If ballots are missing, 
they cannot be audited. In the 
2016 Presidential recount of 
Michigan, 11% of precincts could 
not be recounted because of 
mismatches.74 In the 2016 
primary in Broward County FL, 
192 of 211 precincts had different 
numbers of voters and ballots.75 
North Carolina law forbids audits 
when records do not match.7¢ 


. Figure 1 shows counting costs. In 
a 2006 pilot study, Georgia 
counties hand-counted about 40 


Journal of Physical Security 11(1), 1-19 (2018) 


Figure 1. Cost to Hand-Count, or Scan, Ballots (Standardized at $17/Hour) 
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Hand-Count One Contest in Each County, Washington State, 2004 
Scan and Machine-Count All Contests in 2020 (cost of scanner, staff + counts) 


contests on paper _ tapes, 
averaging 25 minutes per ballot 
in Cobb County, 21 minutes in 
Bibb County and 11 minutes in 
Camden County.77 Paper tapes 
are the hardest ballots to audit. 
Staff often lost count and had to restart a roll of paper. After the pilot Georgia decided not to 
require audits or paper ballots. Clark County, NV (Las Vegas) in 2004 hand-counted 21 contests 
on paper tapes averaging 15 minutes staff time per ballot.78 Counties in Washington state in 2004 
hand-counted one race (Governor) with large variations, shown in the graph. The median was 
38 seconds staff time per ballot (2 people for 19s each; average 45s, standard deviation 36s).79 
California in 2011-12 ranged from $100 to $7,000 per county for risk-limiting audits, excluding 
cost of the independent count.8° None of the California counties audited a close race or needed a 
100% hand-count. An average cost is hard to estimate, since it would need to include some 
chance of 100% hand-counts. We do not know what chance, because we do not know what 
hackers will do. Do we expect at some point hackers will switch winners in 10% of contests? 
90%? The cost variations from county to county in Washington's 100% counts and California's 
sample counts appear to depend on how much setup cost they included in the total. 


N. For comparison, an estimate of scanning cost is $5,000 for training and running four open source 
counting programs on the scan, plus a scanner for each 40,000 ballots, at $1,000 (rent, or net cost 
of buying a scanner before the election then selling it), plus two people of different parties 


74 Kurth, Joel and Jonathan Oosting. (2016-12-12). "Records: Too many votes in 37% of Detroit’s precincts." Detroit News. 

75 Friesdat, Lulu. (2018-05-14). "Judge Rules Destruction of Broward Ballots Illegal." HollerBackFilm.com. 

76 VerifiedVoting. (2017-03). "State Audit Laws - North Carolina." 

77 Elections Division. (2007-04). "Voter Verified Paper Audit Trail Pilot Project Report." Georgia Secretary of State. Pages 
18-22, 42-63. 

78 Theisen, Ellen (2004). "Cost Estimate for Hand Counting 2% of the Precincts in the U.S." VotersUnite.org 

79 Summarized from Washington Secretary of State data provided by VotersUnite.org at votewell.net/count.xlsx 

80 California Secretary of State. (2014-7-30). "Appendices, Post-Election Risk-Limiting Audit Pilot Program 2011-2013 Final 
Report to the United States Election Assistance Commission." Pages 81-90 of the appendices. 
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running each scanner at 5,000 ballots per hour (Figure 1). In small counties, 100% hand counts 
are cheaper, though some may want scans as a backup. In big counties the cost is 4 to 10 cents 
per ballot. This budget allows finishing in 8 hours. Larger counties can cut costs 20% to 30% by 
using half as many scanners to finish in 16 hours. 


ELECTRONIC SECURITY 


Physical security of ballots matters because we cannot trust electronic security, so we need a 
reliable backup. Studies for the California Secretary of State found that new vote-counting machines 
in 2016 and 2017 came with many unpatched vulnerabilities.81 Bugs are at least as dangerous as 
hacks, and bugs are pervasive. 


Most of us want to trust our elections until proven otherwise, just as we trust our own computers 
and houses to be safe. But computers and houses are not safe, despite huge security efforts, so we 
have insurance and backups to help us recover from inevitable failures. Sometimes it helps to 
imagine elections in an anonymous country far away, where the loser does not trust the results, and 
we have no knowledge of winner, loser or election officials. What methods would help the winners 
or losers prove their case? 


Voting machines are subject to bugs and hacks, most seriously at in-state distributors and at 
manufacturers, which need internet connections to update their own computers and provide updates 
before the election. Election machines are delivered to polling places before election day,®2 so people 
have unsupervised access, which is enough to hack them, such as by plugging a keyboard into a USB 
port.83 Marilyn Marks, Executive Director of the Coalition for Good Governance, points out that on 
election night, when states update their detailed results, those results come from county staff 
regularly moving a flash drive between the air-gapped machine and a website, to post results, and it 
can carry infection back to the air-gapped machine to change later counts that night or in future 
elections.®4 If staff can be sure new flash drives are clean from the store, they need to use a new one 
for each transfer. The National Association of Secretaries of State agrees websites can be hacked, and 
physical access to voting machines needs to be controlled, but does not say how to control access 
after delivery to precincts.®5 


What the FBI said about hacking emails also has to apply to voting machines: 


e "We don’t have direct evidence that the server was successfully hacked. We wouldn’t, though, 
expect to see that evidence from sophisticated adversaries, given the nature of the adversary 
and given the nature of the system. "86 


81 Coherent Cyber, Freeman, Craft McGregor Group (2017-08-28). "Security Test Report ES&S Electionware 5.2.1.0" California 
Secretary of State. 

Stauffer, Jacob (2016-11-04). "Vulnerability & Security Assessment Report Election Systems &Software's Unity 3.4.1.0" 
Freeman, Craft, MacGregor Group for California Secretary of State. 

82 Felten, Ed. (2010-11-02). "E-Voting Links for Election Day" Freedom to Tinker. 

83 Doctorow, Cory. (2017-07-30). "Defcon vote-hacking village shows that "secure" voting machines can be broken in 
minutes. Boingboing. 

Uchill, Joe. (2017-07-29). "Hackers breach dozens of voting machines brought to conference." The Hill. 

84 Marks, Marilyn. (2017-06-13). "Georgia's Voting System, the Internet, and the Meaning of'Is.' " Medium. 

85 Benson, Maria. (2018-08-09). "NASS Statement on DEFCON Voting Machine Hacking Events." National Association of 
Secretaries of State. 

86 Comey, James. (2016-07-14). "Worldwide Threats to the Homeland: Isis and the New Wave of Terror, Hearing." 
Committee on Homeland Security, US House of Representatives. Transcript page.32. Video recording at 38:25. 
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The government believes that in 2016 all states’ election systems were scanned for vulnerabilities 
by foreigners: 


e Jeanette Manfra, Assistant Secretary for Cybersecurity & Communications, Department of 
Homeland Security: "We can assume that the majority of states were probably a target..." 

e Senator Claire McCaskill: "J want to make clear today on the record, it's likely that all 50 states 
were likely affected..." 

e Manfra: "Every organization is scanned a lot, sometimes thousands of times a day. What we 
were trying to differentiate between: we saw very concerning activity from known suspicious 
servers in this case... They were targeting to look for vulnerabilities... Probably tried all the 
states. These are the states we could see they were trying. That's right. "*’ 


They will continue to probe all states in the future, always with new methods that we would not 
expect to see traces of, so adversaries always stay ahead of defenders in at least some election 
machines. 


The FBI did not make an exception for voting systems when it said in 2014: 


e "there are two kinds of big companies in the United States. There are those who've been hacked 
by the Chinese and those who don't know they've been hacked by the Chinese"88 


The Justice Department's 2018 Cyber-Digital Task Force announced a new federal policy which 
explicitly limits public disclosure: 


e "To alert the public or other affected individuals, where the federal or national interests in doing 
so outweigh any countervailing considerations."89 


Justice Department investigations will not keep erroneous winners out of office, according to 
official guidance adopted in 2007, and confirmed in December 2017: 


e "[O]vert criminal investigative measures should not ordinarily be taken in matters involving 
alleged fraud in the manner in which votes were cast or counted until the election in question 
has been concluded, its results certified, and all recounts and election contests concluded. "96 


Investigations start late and take years. For example, an FBI investigation of 2002-2007 Kentucky 
election thefts reached an indictment in 2009, convictions in 2010, and appeals ended in 2013.9! 


87 Levine, Mike. (2018-04-24). "Russia likely targeted all 50 states in 2016, but has yet to try again, DHS cyber chief says." 
ABC News. 

Manfra, Jeanette and Claire McCaskill. (2018-04-24) "Mitigating America's Cybersecurity Risk, Hearing." Committee on 
Homeland Security and Governmental Affairs, US Senate. At 41 minutes. 

88 Comey, James. (2014-10-05). "FBI director on threat of ISIS, cybercrime." CBS 60 Minutes. 

89 Raman, Sujit et al. (2018-07-19). "Report of the Attorney General's Cyber-Digital Task Force. Justice. Page 17. 

90 Pilger, Richard, editor. (2017-12). "Federal Prosecution of Election Offenses." Justice. Page 84. 

Donsanto, Craig and Nancy Simmons. (2007-05-07). "Federal Prosecution of Election Offenses." Justice. Page 92. 

91 Vote riggers were sentenced to 26 years, appealed, and had sentences reduced to about three years: Estep, Bill. (2010- 
02-20). "Precinct worker testifies she stole votes - describes how she was coached by top clay county election officers." 
Lexington [KY] Herald-Leader. Page A3. Federal case: KY Eastern 6:09-cr-00016 USA v. Maricle et al, Filed 2009-03-03. 
Indictment. Jury Conviction. Retrial+guilty plea. 
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Copyright law restricts independent testing of security features on voting machines, except in 


limited cases when the copyright office or manufacturer gives permission.° 


a) 


Are election companies and subcontractors trustworthy? Can we trust and not verify? 


Most vendors are too small to have deep cybersecurity, or dedicated security staffs.23 


b) Erroneous software from respected companies is widespread. Major examples include faking 


d) 


emission results at VW, Opel, Mercedes, and Fiat; faking driver locations at Uber; inaccurate 
charges on checking accounts and credit cards at Wells Fargo; installation of a security flaw by 
Sony compact discs; and non-reporting of that flaw by anti-virus programs.9* So a company's 
reputation does not guarantee accurate software. Labs check election software but do not issue 
any hash value to ensure the version checked is the version used everywhere. Over 100,000 
software vulnerabilities are publicly known (besides zero-days, which are not public). Security 
consultant Rapid7 analyzed these 100,000 flaws and reports that many thousands have been 
found by each big web company, e.g., Oracle, Google, Microsoft, Cisco, IBM, Adobe, Qualcomm. % 


Verizon analyzes corporate security breaches each year and found on average 4% of recipients 
open each phishing message, and 22% open at least one per year.° 


The Association of Certified Fraud Examiners analyzes corporate fraud each year and estimates 
typical organizations lose 5% of revenue to fraud. Indeed, most companies have an occasional 
dishonest worker. In 40% of cases they are found by a tip, not by formal controls.9” Unless 
election companies and subcontractors have flawless ways to hire and supervise, they will have 
some worker dishonesty, and about 22% of their workers will open phishing messages. 


Hidden owners can be a problem. ByteGrid, a web-hosting company founded in 2010, which 
manages Maryland's election website (and many other websites for governments and 
companies) was bought in 2011 by Altpoint Capital Partners, majority owned by Vladimir 
Potanin, a close associate of President Putin. Both board members of the local company came 
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from the acquirer. Maryland found out in 2018, though state Senate President Mike Miller said 
the FBI "weren't really anxious for us to come forward" to tell the public.%8 


f) In 2017, the biggest manufacturer of voting machines, Election Systems & Software, put its staff 
passwords in a public file on Amazon Web Services with inadequate encryption: Jon Hendren at 
cyber risk company Upguard saw the file in a routine search. "The database also included 
encrypted versions of passwords for ES&S employee accounts. The encryption was strong enough 
to keep out a casual hacker but by no means impenetrable, said Hendren... 'The worse-case scenario 
is that they could be completely infiltrated right now' he said... Election Systems & Software is the 
largest vendor of voting systems in the United States." ES&S responded that the problem could 
have been caused by itself or its vendors.99 


g) In 2018, FiveThirtyEight, an election polling site, found that another big voting machine vendor, 
Dominion Voting, maintained a web page where election officials log in, and it "lacked basic SSL 
encryption, a standard security practice used to protect user credentials, passwords and other 
sensitive information. "19 


h) In March 2018, security reporters from the CSO news site found on the dark web over 100 email 
addresses of ES&S workers and smaller numbers at Dominion Voting, MicroVote and Unisyn.1° 
They also found passwords, though the companies said these passwords did not meet their 
current standards, so will have been changed. Nevertheless, with valid emails, attackers can 
spray password variations until they log in on at least one of the accounts and install malware, 
according to federal warnings and actual experience in the hotel industry.1°2 


i) In August 2016, Kennesaw State University, which managed Georgia's elections, put passwords 
and database files for vote tabulation online though they were supposed to be air-gapped. Wired 
reported that a Georgia researcher found the files and told the university, "Jf someone were to 
alter the files, machines could be made to record votes for the wrong candidate."!°3 The files had 
no password, and the site had a two-year-old vulnerability. The Los Angeles Times reported that 
a California researcher found the same website still had the same vulnerability in March 2017,1% 
just before the April special election for Congress. In that election, one memory card overtly 


98 Miller, Thomas (Mike). (2013-07-13). Quote is at 6:54 in video from WBAL-TV11: 
facebook.com/wbaltv11/videos/10156909822464218/ 

Donovan, Doug. (2018-08-07). "Maryland senators ask Treasury panel to investigate Russian oligarch's ties to state election 
contractor." Baltimore Sun. 

Broadwater, Luke and Jean Marbella. (2018-07-13). "State investigates Russian investor's ties to Maryland elections 
software." Baltimore Sun. 

Broadwater, Luke. (2018-07-16). "Data firm says Russian investors had no access to Maryland's voting system." Baltimore 
Sun. 

Crunchbase. (2018). "ByteGrid." 

Crunchbase. (2018). "Altpoint Capital Partners." 

99 Weise, Elizabeth. (2017-08-18). "Info on 1.8 million Chicago voters exposed on Amazon server ." USA Today. 

100 Malone, Clare. (2018-07-30). "Russians Are Targeting Private Election Companies, Too — And States Aren’t Doing Much 
About It." FiveThirtyEight. 

101 Porup, J.M. (2018-03-30). "Want to hack a voting machine? Hack the voting machine vendor first." CSO from IDG 

102 US CERT. (2018-03-28). "Alert (TA18-086A), Brute Force Attacks Conducted by Cyber Actors." US Computer Emergency 
Readiness Team. 

Holmes, David (2018-05-02). "Spring 2018 Password Attacks." Security Week. 

103 Zetter, Kim. (2017-06-14). "Will the Georgia Special Election Get Hacked?" Politico. 

104 Halper, Evan. (2017-07-28). "U.S. elections are an easier target for Russian hackers than once thought." Los Angeles 
Times. 


15 


Journal of Physical Security 11(1), 1-19 (2018) 


failed, which stopped counting for an hour and a quarter.1°5 Georgia does not have paper ballots 
to check. 


j) The election vendors and Georgia are not unique. No one is immune. Hackers learn new tricks 
from each other on the dark web, as described by Dylan Curran in The Guardian.1°® The White 
House says, "there are others that are considering making attempts in 2018."107 


k) A2018 poll by MIT Professor Charles Stewart finds that Republicans think domestic hackers are 
more likely than foreigners; Democrats think the opposite,1°8 but either is serious. 


Table 2 shows the interaction of physical and electronic intrusions. Elections can be breached by 
either method alone (columns A-D), but intrusions are most effective together (E). Strong 
adversaries can hire people to use both approaches. Even detected fraud undermines elections, 
unless there are feasible ways to recover true votes and undo the fraud. 


Table 2. Scenarios of Physical and Electronic Intrusions 


A B C D E 
Broad Big Hack 
Scenarios of Election Theft Small Hack Medium Hack| Break-In and 
Small Hack Break-In 


Bug or hack at machine vendor shifts 


DAU; GE vetse All precincts) All precincts All precincts 


Bug or hack at vendor shifts 20% of Biggest 3% of | Biggest 10% All 
votes precincts of precincts precincts 


Break-in to cut seals or change total All All 
number of ballots enough to prevent heciiake pacinite 
recount, or change 20% of votes P P 


3% in places 
with 33 
Zero precincts. 17% | 8% to 46% Zero Zero 
in places with 
200 precincts 


Odds that 3% sample of precincts 
will detect fraud 


Odds that random audit with 9% 


0 0 0 
risk limit will detect fraud 74% 91% 21% zero cone 


Cost to perpetrator Thousands Thousands Thousands | Thousands | Thousands 


Only 11 states have even these odds, the states which hand-count a sample and correct the results. 
ELECTION OFFICIALS 


Most jurisdictions cannot afford sophisticated physical security, and must also trust vendors’ 
electronic security. 


Most jurisdictions think they are too unimportant to be targets of break-ins or hacks. However, 
nothing protects them from bugs, and local contests always matter. Millions of dollars of contracts 
and land use decisions are at stake. The greatest dangers may even be criminal groups who want to 
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put favorable sheriffs, prosecutors, or judges in office to protect their criminal enterprises. They can 
try discreetly in many places and only need to succeed in some to have safe havens. Yet only two 
small states consistently hand-audit these local contests and correct results, AK and WV, because of 
the burden of hand-counts. 


Election staff manage 2 or 3 elections per year, or in many states, 2 or 3 every other year. They 
train and manage large temporary staffs and thousands of ballots under intense pressure and 
deadlines, then pare back to a skeleton staff. They go years without a recount. New procedures 
introduce errors, with no time to practice. When Las Vegas had to do a public recount in 2016, the 
Registrar of Voters organized a secret private recount first so the public one would go well.1° It is 
understandable states have not widely adopted strong audits which may lead to hard 100% hand- 
counts, and that many states prevent hand-counts by omitting paper ballots. Georgia counties were 
explicit in 2006 that hand-counting paper records would take more space and time than they have 
available under their legal deadlines, based on a pilot test of paper rolls, which are the hardest ballots 
to hand-count. 11° 


Election staff have recommended the machines they use to the decision-makers, worked closely 
with vendors, and report the machines' results to the press, so they can feel personally challenged if 
someone wonders about the machines’ accuracy. They don't need to; they are not responsible if the 
machines give wrong results, any more than if their office computer or lock fails. Election staff and 
the maintenance and security staff who have pass keys find real physical security insulting, since it is 
designed to keep them out during elections except when the public is present to observe. Strict rules, 
like TSA inspections or health workers’ exam gloves, do not imply we are all criminals or sick. They 
protect the 99% honest and healthy from rare exceptions who can hurt us all. 


The approach in this paper introduces new procedures, but scanning large volumes of ballots can 
be practiced with old or blank ballots, and the approach bypasses hand-counts, storage failures and 
machine failures, while recovering any lost information or results so the voters’ voice can be heard. 


Election staff can look into doing this scanning at any election. Ideas and approaches are available 
from the places which already do independent scans. 


Several counties have tried to solve security problems another way, with open source election 
machines. Open source means people can read the code, and changes go through an approval 
process. Open source counting software already exists from Humboldt County! and FreeandFair.112 
A complete open source system would also handle voting and management. Travis County, TX 
(Austin) could not find bidders to build a complete open-source election system, though it was willing 
to spend $12 million, which would have been cheaper than commercial election systems.113 Others 
still working toward complete open source systems include San Francisco ($8-50 million cost 
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estimate),114 Los Angeles ($15 million),115 FreeandFair and OSET Institute!1¢, San Francisco's 
contractor, Slalom, points out that plausible systems will be built on Linux, data storage, and 
programming languages like Java, so each update of those platforms will need a security review and 
approval by the Secretary of State,!1” unless voters want to trust them without review. The approved 
package will then need a new hash value to verify the correct package is in each precinct. On the 
same page Slalom raises a concern that computers are "manufactured in another country. Actors in 
those countries may have a desire to destabilize the election process..." The commercial election 
company Unisyn builds its systems on Linux.1!8 The same issues apply to Windows-based 
commercial software, which is certified federally and by many other states too.1!9 Can jurisdictions 
save machine costs by letting all voters without disabilities vote on paper ballots without machines 
in the precincts, then scan centrally and use open source software just for voters with disabilities and 
counting? 


OTHER RISKS 


Scanning does not protect voter registration files or mailed ballots before they are scanned. People 
get mail-in ballots under false pretenses and fill them out, or fill in local races which voters left 
blank.!2° Scanning does not prevent lying in campaigns, voter intimidation, double voting or ballot 
box stuffing. Box stuffing can be limited by letting the public see boxes are empty in the morning, and 
watching the boxes all day and night until they get to the scanner. Voter registration changes need 
improvement, and people need to know when their provisional ballot will be adjudicated, so they can 
speak up for it. Other risks need public watchfulness and investigative resources. The Heritage 
Foundation has a long list of people, Republicans and Democrats, convicted of election crimes,!2! 
though proof is hard, sentences are short, and there must be others who got away with it. 


The scanning approach needs comprehensive independent vulnerability assessments, including 
how well scanners and scanned files can be secured by hash values, how soon ballots can be scanned, 
methods of storing provisional ballots securely, and how many independent counts are needed to foil 
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hackers. The goals are both to advise whether scanning is more or less vulnerable than storage and 
hand-counting, and to minimize vulnerabilities of every approach. 
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Abstract 


Physical security alarm systems and access controls have not changed in decades. Much of 
the present technologies are clearly obsolete, which includes not only the individual components 
and sensors, but also the methods and topologies used to connect to centralized control panels.[1] 
How these system security components are connected has been fundamentally accomplished by 
stringing wires and cables to a central monitoring point or control panel from each point of 
egress. More recently, these control panels are being connected to computers. I will show the 
various available topologies which have been traditionally used, and discuss virtues of a more 
secure approach. I will additionally show which classes of sensors are most suitable for this 
advanced system, which includes addressing video surveillance issues. 


Introduction 


At the onset, I consider all ethernet components and interconnections as well as all wireless 
systems of whatever kind as inherently insecure and quite easily breached. I personally possess 
radio frequency (RF) capabilities that can completely neutralize any wireless system without 
suspicion. They will not be considered here as it is the subject of another analysis. 


I will discuss basic network topologies in both historical and reliability contexts. It is 
important to recognize that how systems evolve is not always rational. The end user needs to 
know how their insurance rates are kept artificially high by the use of antique physical security 
installations. Law enforcement also has an interest due to the very high false alarm rates cause 
by technical failures which could be mitigated by the use of modern equipment. 


Installation of new technologies not on the insurance company’s approved list have not been 
permitted in Hong Kong, if the installer wants the physical security system installation insured. 
And the installers apparently have no mechanism to get new technologies added to the list. As a 
member of the Hong Kong Security Association for many years, I have personal knowledge of 
this issue from the local installers themselves. One should keep in mind that the vast majority of 
installers have no formal university electronic engineering degree or specialized military security 
training. This also appears to be a problem in the US.[1] Therefore, the physical security access 
controls are generally neither robust nor more sophisticated than an on/off switch. 


I will first discuss how video surveillance fits into the general scheme and then revisit it again 
after advanced system networks are outlined. A discussion on a broad spectrum of sensors is 
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necessary for us to put the network concepts into perspective. Then, I will show the basic forms 
of networking and put that into a historical setting. Finally, I will show how to build an 
advanced system that obviates the blatant flaws of the seriously antiquated physical security 
access controls and alarm systems. This analysis is directed toward the installers, insurance 
providers, and the end users who are generally non-technical. Therefore, mathematical 
treatments of topological network theory will not be discussed here. 


Video Surveillance 


Throughout Asia, video cameras, locks, and security guards are considered “High Security”. 
High rise residential buildings usually have only video monitors and guards at the entrance doors 
and video cameras located only on the elevators and not near exit doors, which is obviously not 
high security. Some markets and retail business facilities may have more guards with some 
video cameras throughout the store, and corresponding video monitors near the cash registers or 
in an insecure back room. The most common feature is elevators in most buildings having video 
cameras which are monitored by the same guards near the front door, not in any centralized 
secured room away from easy access or view. High rise residential buildings are not considered 
high value assets that warrant high security. 


High value commercial business facilities, such as high rise buildings in centralized business 
districts, usually have many guards throughout the facility with cell phones, and video cameras 
only on elevators or near the main foyer or lobby areas. I have seen a commercial building with 
a glass door opening from a centralized control room to the outside of the building onto the street 
with one guard playing games on a cell phone in front of sixteen video monitors and no physical 
access control monitors whatsoever. These video systems are almost never coupled to any 
physical security network of sensors, such as magnetic contacts or key card access control 
devices or smart locks on doors. 


There is a well-known case where a wealthy family left for a vacation and returned to find 
their safe had been raided. Their entire residence and grounds only had guards and video 
cameras. Of course, no one saw anything and there were no electronic records of unauthorized 
access or video tapes to show otherwise. The case was never solved and the insurance company 
covered the loss. 


The point is the following: people watching video cameras are easily compromised or just 
miss things. No human can watch a dozen monitors all day and observe everything. How many 
video cameras can one have in a very large facility and how does one monitor several hundred of 
them? Moreover, if someone wants into a facility, the guards are the weakest link and there are 
no records, if the video recordings are damaged or corrupted. Never mind that there are means 
to jam wireless video systems or introduce fake line feeds so the guards have no idea there is any 
breach of security. 


Security Exhibitions in Las Vegas have all manner of sensors, smart locks, key card panels, 


and various monitoring devices as well as some video cameras. Security Exhibitions in Asia 
have predominately video camera systems; almost nothing else. A video camera system alone is 
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a minimal low-level security system. But, it can enhance a good security network when it is 
properly integrated into the security network, which I will show below. 


Physical Security Electronic Components 


Electronic security sensors generally are binary devices. That means they are either on or off, 
either secure or in an alarm state. A switch on the wall near a door is either off or on, which 
controls the ceiling lamp in the room. This is adaptable to a security system which is either on or 
off depending upon the physical position of a door being either open or closed. Physical 
mechanical contact between a door and a switch is inconvenient to implement in an installation 
and terribly unreliable. Electro-mechanical switches are not reliable after many openings and 
closings or what is called “mean number of activations before failure”. The procedure is to open 
and close many switches within a specific operational zone of current and voltage to determine 
how many times the switch can be opened and closed reliably on the average or mean time 
between failure. Further, mechanical switches like this cannot be easily hidden from adversaries. 


The glass reed switch, introduced in 1940[2], is opened or closed with a non-contact 
permanent magnet. Such a device is easy to hide and can have a mean time between failures up 
to over a million activations under the right conditions. This is an early form of a security device 
that is still ubiquitous today. All home security systems incorporate them on doors and windows 
throughout an installation. Arrays of glass reed switches are generally used in High Security 
Balanced Magnetic (BMS/HSS) sensors to resist attempts to defeat the device with external 
permanent magnets and enter a facility undetected. It is now known that any High Security 
Sensor (BMS/HSS) employing glass reed technology is defeatable by “Trivial Means”.[3] There 
are videos on the Internet demonstrating the defeat of all major BMS/HSS switches that use glass 
reed technology on the market, even UL Class 2. 


All commercial security sensors have a binary output. Motion sensors such as a PIR (passive 
Infrared), which are activated by warm objects, presumably human bodies, all have a binary 
output, either secure or alarming, like an electro-mechanical switch. Glass break sensors, excess 
vibration sensors, floor pressure sensors, etc. all output either a secure or alarm condition; hence 
the term “binary output”. 


The denotation “binary” suggests an alternative. That would be analog. Analog devices 
output a voltage that depends upon the state of the device. This is not convenient for a number 
of reasons. The analog signal over long lines is modified by the type and length of cable to 
which it is attached and it is neither on nor off. It is also extremely susceptible to electro- 
magnetic interference coupling to the cable. Binary signals are also susceptible, but not to the 
same extent to low level interference. The big problem is interpreting the analog signal. In 
electronic circuits, voltage comparators are used. A voltage comparator tests an analog signal to 
see if it is above or below a predetermined level and generates a high or low output voltage, or 
high or low binary output, accordingly. This specialized circuit would need to be located 
somewhere between the analog sensor and the central control box. This type of specialized 
electronic circuit frequently includes a specialized electronic filter to keep out any induced 
electronic interference. Every device would be different requiring constant readjustments. This 
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is clearly unrealistic and physically unrealizable. Hence, binary outputs are preferentially used 
between the sensor and the central control box. If the sensor is an analog device, the filters and 
comparators are built into it producing a digital output, like a switch and then connected directly 
to a network cable that is strung back to a central control box or alarm panel. 


It is important to note that a binary signal is a type of digital signal. A binary signal is a single 
digit digital signal interpreted as either a 1 ora 0. A digital signal may be composed of many 
binary signals in a measured sequence counted in powers of 2, such as 8, 16, 32, 64 and 128, etc. 
A binary sensor only outputs a | or a 0 depending upon its state, interpreted as either secure or 
alarmed. Back at the central control box, it all looks like a bunch of electro-mechanical switches 
connected to the cables. And, this is where one gets into trouble. 


My hypothesis is that all binary output sensors can be defeated by trivial means. Even if that 
is not true, how would anyone know? By what means could one ever determine if the sensors 
had been compromised in a secure mode? One argument might be multiple sensors of different 
types. This gets messy, complicated, and expensive very quickly. Moreover, I would just attack 
the cables at that point, which is known to have been successfully achieved on several high value 
targets in Hong Kong. The question remains, how would anyone know? How would anyone test 
remotely to see if the sensors and cables had been compromised? Further, what if I also 
compromised any of the remote test circuits which are also binary, and now remote test shows 
everything is functional. I can defeat all of the sensors in the secure state and no one would even 
know there is any kind of problem until the breach is discovered much later, if ever. 


It should be easy to see why recent research criticizes the present state of physical electronic 
security systems and refers to it politely as obsolete.[1] So, what is the answer? Simply, serial 
networks and smart devices. But first, there must be an understanding of the types of networks 
available, why certain ones were used historically, and what networks work to the best advantage 
with smart devices. 


Network Topologies 
There are five basic network types: 


1) Bus network 
2) Star network 
3) Ring network 
4) Mesh network 
5) Tree network 


I will use switches to show how sensors are connected on the network since all sensors 
considered, for the moment, are binary, which makes the character of the actual sensor irrelevant. 


In the bus network topology, shown in figure 1, every switch is connected to a main cable 


called the “bus”, and the bus is connected to the central control box or panel. In this 
configuration, all switches are in parallel and must be normally open for the entire string to show 
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a secure state. If there is one switch per door, how would one know which door had been 
compromised? That would mean all of the doors must be closed for the system to show a secure 
state. It is not possible for only some of the doors to be open with the others closed, because the 
system would always show alarm. When the alarm is activated, which door caused the alarm? 
And, there is no means to discriminate between a cut line and an open switch. Clearly, the bus 
system is not suitable for binary devices. It is a favorable configuration for serial networks 
which can additionally be mapped into a modified ring network which I will show later. 
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Figure 1: Bus Network 


In the star network topology, shown in figure 2, and a graph of a five-leg star in figure 3, all 
the switches are directly connected to the central control box or panel. Historically, it was the 
first realistic physical electronic security system implementation. Most home security systems 
are wired like this, with lights to indicate which sensor was triggered on the control panel and an 
alarm, such as a siren. Most small businesses have security systems that are quite similar to 
home installations. In this network, all of the switches can be normally closed and which switch 
was compromised is immediately obvious. However, one only needs to short out the cable and 
the system is defeated without suspicion. 


PANEL 


! : CONTROL ; 


Figure 3: Star Network Figure 2: Star Network Graph 


Motion sensors (typically, PIR) and simple magnetic contacts with occasional glass break 
sensors are ubiquitous and ineffective against professional intruders. Each sensor is at the end of 
one very long cable that is strung all the way back to the central control box. Since the signal 
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lines are all generally passive, the entire cable bundle can sometimes be shorted out to defeat an 
entire zone in a secure mode; power to active devices being provided near the point of sensor 
installation. 


In the ring network topology, shown in figure 4, each end of the ring is connected to one port 
of a central control box or panel. Each switch is connected in parallel with the other. This is 
equivalent to a bus network connected to the central control box at both ends and is not viable for 
binary devices as it suffers all of the same deficiencies. However, it does represent a favorable 
configuration in a modified form for serial networks which I will discuss later. 
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Figure 4: Ring Network 


The mesh network topology, shown in figure 5, employs either of two schemes, called full 
mesh and partial mesh. In the full mesh topology, each switch is connected directly to each of 
the others which immediately reduces to a bus network, since the switches only have two 
terminals. A partial mesh also reduces to a bus system or ring network as all switches ultimately 
are connected in parallel, as in the full mesh. A mesh network or equivalent bus or ring network 
is not viable with binary devices. Clearly, it is not relevant where the control panel taps into the 
network. 
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Figure 5: Mesh Network 


The tree network topology, shown in figure 6, which evolved from the single star network, 
uses two or more star networks connected together with the central control box at the origin of 
the primary star called a master control box or panel. This is the most common network in more 
advanced systems. The tree in figure 6 is called binary, because it has two legs emanating from 
each node. There can be any number of legs emanating from each node. Each node can be a 
combination of sensors and a control box referred to as a slave control box or slave panel. The 
last node is usually all sensors, but can also be a single binary output hub with many sensors 
wired to it. A straight single node star network would require miles of cable in a large 
installation. However, placing addition slave control panels throughout the system can eliminate 
miles of cabling. There may also be a hub to connect several devices to a single line near the 
sensors which connects to a panel further down the line reducing cables and simplifying wiring. 


Figure 6: Tree Network 


Some installations have gotten around the problem of connecting many slave control boxes to 
a centralized master control panel by substituting a RS485 serial network as shown in figure 7. 
For this configuration to work, a computer is required to manage the entire network. This 
configuration was necessitated by the introduction of access control cards and password 
keyboard panels at the egress. This allows the addition of electronic strike plates, also called 
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magnetic traction locks. However, the sensors used are still all old obsolete antique binary 
sensors with all of the attendant vulnerabilities. 
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Figure 7: Commercial Composite Network[5] 


RS485 Serial Network 


The serial network is becoming a vital part of advanced physical electronic security network 
systems.[5] However, it is still only largely used in high value asset facilities and clearly not to 
its fullest extent, because it still incorporates binary sensors connected to a traditional style slave 
control panel or hub. Many business parks and hotels only wire the doors with key cards or 
password keypads and fire sensors which are all connected to serial networks. Moreover, any 
physical electronic security network in the facility is wired separately in the old-fashioned way. 


Figure 8 shows a full implementation of a RS485 serial bus network. Clearly, there is no 
means for a binary device to be connected. I show dual purpose hubs so that traditional binary 
devices can be connected, but the state of the binary device is translated, digitized, and connected 
to the serial network anyway. The sensors I use all have dual output so that they can be 
connected both to the RS485 serial network and in parallel to the traditional network, which 
creates a certain level of redundancy. 


There are numerous books on serial networks.[4] The serial network is ubiquitous in 
industrial applications. All robotic factory installations use them everywhere for full automation. 
This is highly mature technology and there is no reason it should not have been used more 
extensively in physical electronic security systems except that insurance companies would make 
less money. Most people choose the cheaper tree network with binary sensors to minimize the 
installation cost, because the insurance companies approve the system and cover any loses. But, 
higher risk means higher insurance premiums. 
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Figure 8: RS485 Serial Network 


The single most vulnerable point of attack on a serial network, excluding the Master Server 
itself, is cutting the cable near the Master Server. The point of perimeter breach could be 
anywhere. However, install two RS485 serial ports on the Master Server and loop the serial 
network around back to the second RS485 serial port on the Master Server. If someone cuts the 
serial bus network cable anywhere, the entire network is still fully functional. That means 
someone would have to cut the cable in two places; once on either side of the Master Server. 
This creates a major intrusion incident. I have a complete network with dual RS485 ports just 
like this and it works. 
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Figure 9: RS485 Two Port Loop Network 


28 


Journal of Physical Security 11(1), 20-32 (2018) 


Smart Sensors 


The Master Server can identify each individual sensor by a serial number on the RS485 serial 
network. Any sensor can be addressed by address number and self-tested or interrogated. If an 
alarm state is generated by the device, that information is transmitted back to the Master Server 
with its serial number. Some sensors have additional features, such as thermometers on board, 
that send the temperature back when asked. The binary sensors have all been replaced by smart 
sensors in this system. 


A salient feature of the smart sensor on a RS485 serial network is that the firmware cannot be 
modified, either from the Master Server or a tapped cable. The firmware is burned into the MCU 
(Micro Central Unit) before final assembly over pins specifically for that purpose. The MCU is 
more like a micro-computer than a micro CPU (Central Processing Unit). Those programming 
pins are never connected to the serial lines and are no longer easily accessible after final 
assembly. Additionally, a fuse is burned during programming to prevent such an attempt, even if 
the device is compromised and the pins exposed. Therefore, the smart sensor cannot be 
reprogrammed externally. This is in distinct contrast to a regular PC which is programmable 
over its ethernet port. Further, smart sensors have no means to download files to internal storage 
and subsequently execute that file like a PC. Therefore, malware is less of a problem. 


Smart sensors can report vibration, temperature, proximity of a specialized actuator magnet, 
and even motion sensing. This information is serialized and sent back to the Master Server with 
an ID number. The smart sensor can also be interrogated by the Master Server at any time. The 
entire network of smart sensors can be polled by the Master Server with the collected 
information stored in a log with time stamps and serial numbers. There are fewer means to 
defeat the sensor in the secure state, because the Master Server only needs to interrogate the 
switch to discover its condition and verify its ID. Nothing like this is possible with binary 
sensors. 


What about a Trivial Defeat of a smart Magnetic Proximity device?[2] Such a smart sensor 
can recognize its own actuator magnet and even return a measure of the distance the magnet is 
from it. Trivial Defeat is a specific type of attack [3] that is not effective against analog sensor 
arrays. The smart sensor will know immediately if a magnet actuator has been substituted by 
numerically processing data from an array of magnetometers to reconstruct an image of the 
magnetic field and compare that image with a stored image. This is not science fiction. I have 
several of these devices and the enclosure is exactly the same size and mounting hole pattern as 
legacy Balanced Magnetic Switches (BMS) that can be defeated by Trivial Means. 


The new Terahertz radar sensors are ideal for PIR motion sensor replacement. They can see 
through walls and detect reflector shields. They are not limited by temperature range and may 
have fewer ambiguities in signal reception. Unlike the PIR sensors that can only report a 
disturbance within the field of view, Terahertz radar can show how many people are in the room, 
where they are standing and plot velocity vectors. All of that information can be transmitted 
over the serial network generating a two-dimensional image on the Master Server. Software can 
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use this two-dimensional data to create inclusion and exclusion zones within the field of view 
minimizing false alarms. 


There are many other examples of smart sensors that could be connected to the RS485 security 
serial network. Simple skills related to legacy security system defeat less useful for attacking 
this kind of security system. Even if someone were able to access the serial cables, the Master 
Server should be able to detect that immediately; no registered serial number would be noted 
among other things. If all communications over the serial network are encrypted, even 
wiretapping becomes less useful unless a very powerful computer is available and plenty of time. 


The Master Server 


The Master Server is the single most vulnerable part of the entire security serial network. It is 
imperative that this server is not connected to the Internet, but only connected to other servers 
like it on a restricted Intranet. Any wireless capabilities require serious security analyses. 


Of course, an operating system needs to be chosen. The most widely used operating system is 
a known maximal security risk. There are several websites that go through a very long 
procedure to turn off most of the surveillance features. But, it is widely suspected that there are 
still some secret back doors to the system. This is fundamentally why I only use an open source 
operating system on a computer in any security network environment. It might not appear to be 
of major consequence in an isolated Intranet system. But, it is an unnecessary choice that 
becomes a primary vulnerability, if the Intranet is ever bridged to the Internet. Additionally, 
there are thousands of viruses with thousands of delivery vectors targeting it and virtually none, 
at most only a handful, targeting Linux. The selection choice easily leads to some version of 
Linux. 


I find Ubuntu, although a fine operating system, unsuitable for this purpose, because the 
designers use non-standard coding features which means their code frequently does not compile 
without work arounds on other versions of Linux. My first choice for engineering systems has 
always been Fedora. But, that is a bleeding edge system that changes every six months and 
occasionally has bugs in the source code. My first choice for a high-level security system is 
OpenSuse. There is one version that is designed for long term stability that I use which is listed 
on their website. There are obviously other very good Linux operating systems. One is always 
free to choose something else. 


The user that has access to the RS485 serial ports should have restricted access to the system. 
With this, special software applications that talk to those ports will have restricted access to the 
system and limited permissions by default. This is where an encryption translator would be 
placed to talk to encrypted sensor traffic. This type of architecture allows one to focus on the 
state of the sensors on the network and facility security rather than the Master Server security. In 
a very large network where speed becomes an issue, the XWindows server can be shut down and 
the system operated at level 3, which is a non-graphic full text mode with ncurses. The most 
commonly used non-Linux operating systems cannot do this. The first layer of the system is 
now complete. 
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Multi-Layered System 


If the facility to secure has several or many floors, such as a high rise, it may be more efficient 
to place one complete serial loop with Master Server on each floor. Now, it makes sense to 
organize an Intranet to connect the Master Servers on each floor with one loop to rule them all. 
Great care must be exercised to ensure that a bridge to the Internet is never made anywhere on 
the Intranet, which would compromise the entire system instantly. That means no laptops or 
cellphones anywhere near the Master Servers. 


This is where I address the video cameras. They should all be on their own network layer and 
organized so that their control can be interfaced to the Master Servers. If any sensor shows an 
alarm, the corresponding video camera can be switched on at that site. This allows many video 
cameras with only those turned on by choice or by alarm state. 


Conclusions 


I have discussed the five fundamental network topologies and how they relate to the historical 
development of electronic security networks. The early security networks were all two wire 
twisted pair cables connected to electro-mechanical switches in a star topology. Those switches 
were ultimately replaced by glass reed technology. As installations and facilities became more 
complicated, the tree network was introduced. The character of the networks was influenced by 
the binary nature of the switch sensor devices used throughout it. As technologies became more 
advanced, binary sensor vulnerabilities began to appear. This obviated the necessity for an 
alternate approach. 


To deal with the increasingly complex network distributions, RS485 networks were introduced 
at the tree origin and connected to a computer called the Master Server so that the control panels 
could be distributed. This also facilitated use of keypads and card key access controls. 

However, most of the sensors are still binary devices. 


The smart sensor allows the elimination of the obsolete binary sensors and provides a full 
implementation of the RS485 network which is basically a serial bus network. To guard against 
cut cables early in the serial network, it can be looped back to a second RS485 port on the Master 
Server forming a loop. To guard against cable tapping, the traffic between the smart sensors and 
the Master Server should be encrypted. I call this complete loop a “layer”. 


The Master Server operating system should be an open source Linux-based system for a 
variety of reasons which were discussed. This allows rigid control of the twin RS485 serial 
ports. Encrypting the smart sensor traffic helps protect against network tapping. 


The need may arise for multiple layers throughout a complex facility. This can be 
accomplished by connecting the Master Servers to an Intranet which should be isolated from all 
other networks, the Internet in particular, with restricted access to authorized security personnel 
only. 
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Video cameras should all be on their own network which can be interfaced to the Master 
Servers for a system enhancement. The video cameras could be accessed randomly or 
automatically triggered to view an alarm site. 


What I have discussed in this paper is consistent with the direction that physical electronic 
security industry is going, although not without some roadblocks. These new approaches require 
members of the security community to receive training on the new emerging systems and how to 
deal with them. It also requires more advanced technical support than the older obsolete legacy 
systems. 
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Viewpoint Paper 


Why Security Does Not Belong 
with Facilities Management* 


Roger G. Johnston, Ph.D., CPP 
Right Brain Sekurity 


Black Ops Maxim: If security is the responsibility of the Operations or Facility Management Department, then 
security will be given about as much importance and careful analysis as snow removal or taking out the trash. 
-- “Security Maxims”, https://tinyurl.com/y94wekyn 


It is not uncommon for large organizations to place oversight of security in the Facilities 
Management Department, Division, or Section. In this paper, I argue this is not generally a 
sound practice. It should be noted that in government organizations, Facility Management 
is frequently called the “Operations”. In manufacturing industries, however, the 
“Operations Department” is more often concerned with keeping factory production 
ongoing, and is not dedicated to overall facilities management or maintenance per se. 


There are various arguments supporting my position. A number of security experts, for 
example, have argued that cyber security functions and cyber support/operations do not 
belong together because of different functions and priorities.[1] Some of their reasoning is 
similar to my arguments about security not belonging in Facility Management (FM). 


To start with, I would argue that senior FM managers tend to have experience or 
expertise in areas other than security. Consequently, they may not have a security mindset, 
or understand the complex issues associated with physical security, cyber security, insider 
threat mitigation, and crime control. They may not give security their full attention, nor 
appreciate the challenges faced by their security employees. They may downplay security 
expertise, encouraging employees with facility management or other backgrounds to move 
into security positions within the department. In terms of security culture, FM employees 
may not be in a safe position to raise general and employee-specific insider threat concerns 
as might be the case for employees who work for a Security Division or Department. 


Note also that because many FM employees will be relatively low-level crafts people 
(plumbers, electricians, HVAC technicians, handy men/women, custodians, landscapers, 
etc.), they may not be fully treated as professionals in a manner that is helpful when 
supervising security professionals. There may also be problems associated with security 
hardware being installed and maintained by employees who are not very knowledgeable 
about security systems and security issues.|[2] 


*This viewpoint paper was not peer-reviewed. 
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Moreover, it is worth recognizing that key FM personnel will often be engineers. Asa 
general rule, engineers have the wrong mindset for security. They tend to view nature, 
software bugs, or hardware failures as the adversary, not people. They typically work in 
solution space, not problem space. They think of systems and technology failing 
stochastically, rather than through deliberate, intelligent, malicious intent focused at the 
weakest points. As a result, engineers often are not—at least in my experience— 
psychologically predisposed to thinking like the bad guys. They tend to focus on the user’s 
or customer’s experience, rather than on countering adversaries. 


The way that FM managers view non-FM employees may also not be conducive to good 
security. Non-FM employees will often be thought of as tenants or customers, rather than 
as assets who are participants in the overall security strategy. Often, FM is physically 
remote from non-FM employees. This can engender an “us vs. them” attitude, something 
that is never helpful for good security. 


Another problem with FM control of security is that, by its nature, facilities management 
tends to be a reactive endeavor. FM personnel spend much of their time responding to 
maintenance and facility failures. Plumbing springs leaks and needs immediate repair, 
chemical spills occur, HVAC needs an upgrade, a hornet’s nest might be found near a 
building entrance, a slippery sidewalk needs attention during winter, etc. By its nature, 
security is not usually effective when it is largely reactive. Effective security requires 
foreseeing potential problems, threats, and vulnerabilities before they manifest themselves 
into security incidents. Now it is true that FM is often involved in long-term planning for 
new buildings and infrastructure, but much of this is too far in the future to be on a time- 
scale useful for daily proactive security. 


By the nature of their overall responsibilities, FM personnel will tend to let the existing 
facilities and practices define the security strategies. The unfortunate reality with security, 
however, is that the bad guys get to define the problem, not the good guys. FM personnel 
will also tend to focus on security metrics (if they have such metrics at all) that are 
primarily concerned with cost effectiveness, not security effectiveness. FM personnel are 
also likely to be preoccupied with the costs associated with physical damage to 
infrastructure after a security incident, and overlook much higher (more intangible) costs 
such as harm to employees or the loss of intellectual property, trade secrets, cyber data, 
and organizational reputation. 


Yet another major problem with FM management of security is caused by the fact that 
safety will often also be in the purview of FM. Safety will tend to dominate security for a 
number of reasons, including the fact that safety is a more comfortable and tangible 
responsibility than security. Typically, security that is dominated by a safety approach and 
by safety professionals will not be very effective. [In my view, the International Atomic 
Energy Agency (IAEA) is an example of this kind of problem for nuclear safeguards.] 
Despite superficial appearances to the contrary, safety and security are quite unrelated 
activities and require different mindsets and methods. This is true because with security, 
there is a malicious adversary who wants to cause harm and is potentially capable of doing 
so via an intelligent and/or deliberate attack at the most vulnerable point(s). With safety, 
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there is no adversary and no malicious intent. (This being said, there is certainly benefit in 
safety personnel having input on security issues, and security personnel having input on 
safety issues.) 


In summary, there are a number of potential problems with putting security functions 
under the umbrella of Facility Management (or under “Operations” in government 
organizations). Doing so is not a guarantee of bad security, but it does create an 
environment not particularly conducive to effective security. 
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Abstract 


The popularity of tracking devices is growing, and the technology is evolving. This creates 
new opportunities to enhance the security of the transport supply chain. Canada is 
considered to be one of the world’s largest suppliers of radioactive sealed sources. If sources 
were to be lost or stolen, it could present a risk to Canadian safety and security, as the source 
could be used by malicious actors. 


South Korea, Vietnam, France and the United States are representative of the growing 
number of countries that are developing tracking technologies to be used during the 
transportation of high risk radioactive sources in industrial radiography and well-logging 
applications. There are a variety of approaches being used in both the application and 
the regulation of the emerging technologies. To follow the good practices of both the 
International Atomic Energy Agency (IAEA) and industry, the Canadian Nuclear Safety 
Commission’s (CNSC) Nuclear Security Division (NSD) has developed this research paper 
to better understand the use of new tracking technologies for devices with radioactive 
sources and their applicability to the Canadian environment, including the costs, benefits 
and challenges of implementing these new tracking technologies in industrial 
radiography and well-logging industries. 


As part of this study, two surveys were distributed to Canadian licensees and 
international counterparts, including regulators, members of the World Institute of 
Nuclear Security (WINS) and other relevant stakeholders to collect feedback, experiences 
and general stakeholder opinion. As a whole, this research paper intends to explore 
lessons learned from the industry perspective using tracking technologies as well as 
experiences with organizations developing or using new tracking technologies. The 
study also identifies some good practices for regulators in today’s threat environment. 


Key words: tracking technologies, radioactive sources, nuclear safety, nuclear security 
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1. Background 


Introduction 

This research paper begins with general background information, including an overview of the 
current threat environment and CNSC regulatory framework for tracking radioactive sources in 
transport. Part I describes the benefits and challenges for licensees and regulators using real- 
time tracking technologies for industrial radiography and well-logging applications. This is 
followed by a discussion surrounding the current tracking systems being used as well as the 
related regulatory practices of countries that are using or implementing newer tracking 
technologies, including South Korea, Vietnam, France and the United States. 


Part II presents the results of two surveys that were distributed to Canadian licensees and 
international counterparts, including members of WINS and other relevant stakeholders to 
collect feedback, experiences and general stakeholder opinion. The intent of these surveys was 
to identify what technologies are currently being used and why, as well as the costs, benefits and 
challenges that arise from implementing tracking technologies. Moreover, it describes the 
general stakeholder opinion on tracking technologies, from both current users and non-users. 
As a whole, the intent is to discover lessons learned from the industry perspective on tracking 
technologies by exploring the experiences of organizations developing or using new tracking 
technologies. 


Purpose 
The purpose of this research paper is to: 

e Identify and explore international regulatory practices in relation to tracking of 
Category 2 and 3 radioactive sources in transport; 

e Describe existing and new real-time tracking technologies (for Category 2 and 3) 
that are being used, developed and implemented by other IAEA Members States; 

e Explore the Canadian industry opinion related to the advantages, challenges, 
associated cost and benefits for the use and implementation of tracking 
technologies for industrial radiography and well-logging applications; and, 

e Identify lessons learned and good practices for regulators in today’s threat 
environment. 


Throughout this document, the term sources refers to radioactive sealed sources. 


Method 

The research was conducted over a 12-month period using only open-source information. 
Using unclassified documents, IAEA, World Nuclear Transport Institute (WNTI) and WINS 
presentations and materials from the Nuclear Security Information portal (NUSEC), we were 
able to cultivate a thorough understanding of; the current threat environment, how states are 
responding and preparing globally, as well as good practices and lessons learned that can be 
adopted by Canadian regulatory authorities. 


Two online surveys were sent to Canadian licensees and international counterparts to gather 
information on their use of tracking systems and associated technologies for Category 2 and 3 
radioactive sources in transport, specifically those used in industrial radiography and well- 
logging. The domestic surveys, designed for the Canadian industrial radiography and well- 
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logging industry, were distributed to 227 emails (both in French and English), with a 40% 
response rate. The international surveys, intended for international partners and stakeholders, 
were distributed to 256 emails (both in French and English), with a response rate of 8.9%. 
Information about this survey was also posted on WINS and NUSEC in an effort to increase the 
survey's participation rate. Responses to the international surveys came from 20 countries. We 
also used discussions with experts to collect opinions and experience throughout the 
development of this research project. 


We pursued this research based on several key, though untested, assumptions. We assumed 
that tracking technologies would have the potential to increase the security around sources 
during transportation. It was also assumed that tracking technologies could enable cost savings, 
increased security, and enhanced recovery opportunities. Finally, the costs related to acquiring, 
implementing, using and maintaining tracking technologies would be the primary disadvantage. 


Category 2 and 3 Industrial Radiography and Well-Logging Sources 

There are five categories of radioactive sources. The category is assigned to the radioactive 
source by taking into consideration factors such as the radiological risk associated with the 
source, the nature of the work, the mobility, experience from reported accidents, typical versus 
unique activities within an application and other factors. Category 1 sources are considered to 
pose the greatest risk to human health (if not managed safely and securely), while Category 5 
sources pose the lowest risk.! The focus of this research paper is Category 2 and 3 sources. 


Industrial radiography involves the testing and grading of welds to ensure there is no 
cracking or other issues in pressure vessels, pipelines and pressurized piping.? The material 
used for industrial radiography is Category 2 or Category 3 high activity sources that are 
relatively small in size.2 The sources are highly portable, and because they are used to conduct 
x-rays on pipelines and structures they are often transported, particularly to remote locations. 
An example of a source used in gamma radiography is shown in figure 1. 


Figure 1: QSA Global 990 Delta Projector 


Well-logging is used in the oil and gas industry to provide users with information about 
geologic layers when drilling. By lowering devices containing radiological sources similar to 
the one shown in figure 2 into the borehole, users can measure formation density and porosity. 
The source itself is not readily accessible during use. However, the mobile nature of the 
sources makes them vulnerable to loss and theft. 
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Figure 2: Typical Americium-241/Beryllium well 
logging source attached to bull plug 


Overview of the current threat environment 

The threat of terrorism is growing with increasingly aggressive attacks in the Middle East, 
Europe, and beyond.* All countries must be able to reasonably protect sources from both 
external (terrorism and criminal activity) and internal threats, which may include drivers and 
crew members.° 


In 2006, Abu Hamza al-Muhajir, the now deceased leader of al-Qaida in Iraq, urged scientists 
to help al-Qaida build radioactive weapons.® In 2015, news reports in Moldova announced that 
a man attempting to steal radiological material had publically and openly expressed his desire 
for Daesh to use the stolen material to harm American citizens.’ According to the Radiological 
Security Progress Report, Iraq has warned that the Islamic State extremist group may have stolen 
enough radiological material to create a bomb that would injure major portions of their 
populations and damage large sectors of infrastructure. These events and threats set the 
precedence for finding counter-measures and solutions to better protect Canadians from similar 
threats. 


Lost and Stolen Radioactive Material at the International level 

The IAEA’s Incident Tracking Database (ITDB) has concluded that between 1993 and 2016, 
there were 497 theft incidents, and of which, 224 were transport related.? Though these 
incidents primarily involved low risk sources and posed little risk to the public, the ITDB also 
found that 116 stolen materials were not recovered.’° In figure 3, the ITDB data shows that 
between 2008 and June 2018, there were incidents involving 33 Category 2 and 26 Category 3 
sources related to theft, attempted theft, loss, missing, and misrouting, emphasizing the need to 
study potential mitigating measures. 
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Radioactive Sources by RS-G-1.9 Category from 2008 to 
2018 
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Figure 3: IAEA Reported Incidents, including Stolen, Lost, Missing, 
Attempted Theft by Category from 2008 to June 2018 


In 2015, the James Martin Center for Non-Proliferation Studies (CNS) recorded 188 publicly 

reported source-related incidents in 26 countries.'! Of these cases: 

e less than half were recovered, 

e 58% were stolen while in transport 

e 68% of the sources stolen during transport went missing while the vehicle was left 

unattended.12 

Moreover, these numbers are assumed to be systematically underreported.'° All cases were 
seemingly targeting radioactive material, with the intent of earning a significant profit.“ 
However, the study did not differentiate between the thieves targeting the vehicles for their 
value versus the radioactive materials being transported. 


Vulnerabilities during Transport 

Transportation is traditionally regarded as the most vulnerable phase during the life cycle of 
radioactive material. Though while in movement the radioactive material could be argued to be 
more secure, the material is exposed to additional vulnerabilities. For example, material has 
been removed from a protected facility and is moving through public areas where it could be 
easily seized. In addition, the material being transported may be in locations where off-site 
response forces would take more time to be deployed and intervene in a timely manner.! 
Examples of typical transportation vehicle can be seen in figure 4 and figure 5. 


Figure 5: Transportation of sources in harsh Canadian winter 
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When attempting to steal radiological material, thieves may use the following techniques: 
insiders, pilfering, armed hijacking/robbery, deceptive pick-ups, insider diversions, 
trailer/container theft or warehouse/container burglary.'® Additionally, adversaries could 
tamper with the hardware or software used for tracking and could counterfeit the hardware of 
the vehicle. In some cases, adversaries have used more sophisticated techniques, including: 
thwarting global positioning systems (GPS), jamming, and circumventing shipping container 
security seals and using hired hackers to acquire confidential shipping information.’”? According 
to the CNS study, human negligence is a significant contributing factor in cases of the loss and 
theft of radioactive sources. 18 


Overview of potential risk and consequence if radioactive source is out of regulatory control 

Lost or stolen radiological material can also be used to create radiological exposure devices 
(RED). REDs are intended to expose people to significant doses of radiation without their 
knowledge.!? Using partially or fully unshielded radioactive material, an RED could easily be 
hidden in a public place to expose all those people who sit or pass by the area. 2° 


Radiological dispersion devices (RDD) use radioactive material with a means of dispersal, for 
example explosives or aerosols. If an RDD is used in a malicious manner, consequences could 
include: illness or death of citizens, medical costs, the costs of cleaning or rebuilding the targeted 
location, and the social and psychological impact to the population.21_ The magnitude of such 
consequences are based on the form of the radioactive material within the sealed source, the 
type of event that occurred, the levels of exposure and contamination, the state of cultural and 
political issues in the region, and the effectiveness of the emergency response.” Following the 
Nuclear Security Summit it 2010, there was an emphasis towards increased awareness and 
implementing stronger security measures around radiological materials, particularly during 
transport.?3 


It is important to address the severity of lost and stolen sources. An unclassified Government 
of Canada report in 2007 noted that the explosion of a small RDD near the CN Tower would result 
in mass public anxiety and a 23.5 billion dollar strain on Toronto’s economy. The financial 
repercussions would be the result of, for example, the increased visits to medical facilities, the 
required clean-up, the reduction in rates of tourism and other indirect costs.2+ Other potential 
costs include: the shutdown of radiological operations, law enforcement costs and 
litigation/liability costs. 


Canadian Context 

Published in 2013, the CNSC Regulatory Document 2.12.3: Security of Nuclear Substances: 
Sealed Sources outlines the required security measures for using, storing and transporting of 
radioactive sources in Canada. This document sets out the minimum security measures that 
licensees must implement to prevent the loss, sabotage, illegal use, illegal possession, or illegal 
removal of sealed sources during their entire lifecycle, including while they are in storage and in 
transport. As part of these requirements, the transport of Category 1 sealed sources requires a 
real-time tracking system to monitor the shipment. For Category 2 and 3 sealed sources, there 
is a requirement to implement a tracking system that can be passive or active (real-time 
tracking). This requirement is performance based, therefore real-time tracking is not mandatory 
but the licensee has to demonstrate that they have an effective mechanism to track radioactive 
sources during transport. Tracking for nuclear material is out of the scope of this research. 
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Like many other countries, Canada has developed a national registry and a web-based tracking 
system, along with export and import controls for high-risk sealed sources. The CNSC's National 
Sealed Source Registry (NSSR) and Sealed Source Tracking System (SSTS) have been established 
since January 2006. The NSSR maintains inventory information on all five categories of sealed 
sources in Canada. The SSTS tracks the movement, import, export, and transfer of Category 1 and 
2 sources in Canada, but not in real-time. This research focuses on real-time tracking, typically 
used for monitoring and recovery applications. 


From 1991 to 2016, 66% source related thefts in Canada occurred while the devices were 
stored inside a vehicle or were stolen with the vehicle itself.2° The majority of these stolen 
sources were primarily Category 4 and 5. As seen in figure 6, 13 were Category 2 and 2 were 
Category 3 sources. During this period, there were 13 thefts of Category 2 (industrial 
radiography sources) reported to CNSC. Since the implementation of Regdoc 2.12.3 in 2013, 
there were only 2 Category 2 and 1 Category 3 source reported stolen, all of which were 
recovered at a later date.2° However, all of these events were opportunistic in nature; the thieves 
are presumed to have noticed the attractiveness of the object/package and not its radiological 
content. Therefore, the sources were not the primary target of the thefts. 


Number of Reported Category 1, 2 and 3 
Events Involving Lost and Stolen Sealed 
Sources between 1991 and 2016 in 
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Figure 6: Number of Reported Category 1, 2 and 3 Events involving Lost 
and Stolen Sealed Sources between 1991 and 2016 in Canada 


This section provides an overview of the Category 2 and 3 sources studied in this paper, the 
current threat environments and the Canadian context and regulatory framework for tracking 
Category 1, 2 and 3 sources. With the emergence of new tracking technologies, CNSC is 
interested to study the new innovative approach to enhance the security of the transport supply 
chain as well as the regulatory practices used by other Member States and how it is being 
implemented. 


2.0 International Practices 

This section explores some specific practices by IAEA Member States that are using, developing 
or implementing tracking technologies as part of their regulatory regime. Each section attempts 
to describe why the country’s nuclear regulator moved to implementing real-time tracking 
technologies and the lessons learned, both at the industry and the regulatory level. 
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It was unclear whether some IAEA Member States have clear and established transport 
security requirements or regulations that required tracking for Category 2 and 3 radioactive 
sources in transport. It was also difficult to know if the requirements are prescriptive or 
performance based and if they are harmonized with regional or sub-regional countries. 


South Korea 

In South Korea, the Nuclear Safety and Security Commission (NSSC) is the regulatory body 
tasked with the overall safety and security of all nuclear activities. The NSSC is focused on policy, 
authorization, administration and enforcement. The NSSC works closely with the Korea Institute 
of Nuclear Safety (KINS), which is the technical support organization. 


In South Korea, licensees use two prominent tracking systems: Radiation Source Tracking 
System (RASIS) and Radiation Source Location Tracking System (RADLOT).?”7 RADLOT is a 
system focusing on detection and control. Both technologies have been commercialized and are 
available for purchase. 


RASIS is a system that has been operating since 1999 that looks to minimize and monitor 
incidents with nuclear sources. RASIS has a report management function that creates periodic 
reports, inventory reports, production/acquisition and status updates. It has a tracking system 
that follows the source throughout its lifecycle.28 RASIS has an in-depth inventory analysis and 
statistics function for licensees to use.?? 


RADLOT started operating in 2006. It is regulated through a variety of regulatory documents 
including, the Nuclear Safety Act, Enforcement Regulation, Regulation on Technical Standards 
for Radiation Control, and the NSSC Notice on Security of Radioactive Sources.2° RADLOT 
monitors the sources movements, traces the radiation dose rates, and aides in recovering the 
sources quickly in case of loss or theft - all of which are useful to both licensees and the 
regulatory authorities.21 Figure 7 provides an outline of RADLOT’s operating system. 


GPS terminal 


2 


Mobile communication 
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control center 


Figure 7: RADLOT graphic. Found in IAEA Presentation on 
Preparedness for Radiological Emergency, 2013 GNSSN 


RADLOT is composed of a central control system, mobile terminals, and a commercial 
telecommunications network that can send regular updates to users. RADLOT data is centrally 
reviewed and is a web-based system used for safety and security, and can track location 
information for over 1,500 mobile tracking terminals.  RADLOT transmits data on the location 
of sources via geographic information systems using a digital map provided by KINS.?3 RADLOT 
manages the production, distribution, sale, usage, transport, disposal, transfer and acquisition of 
radioactive sources.** Figure 8 provides an example of how the RADLOT system is attached to 
sources. 
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Figure 8: RADLOT START-88 


Some of the challenges reported from RADLOT’s deployment include: 
e its reliance on a reliable power supply (long-life batteries), 
e its applicability in other countries because of its technical requirements, 
e problems with cross border transportation (for example, lack of compatible terminals), 
and, 
e itis susceptible to tampering and attacks, including but not limited to Denial of Service 
attacks, shielding and tracking technologies being removed from the device.35 


RADLOT was used in a technical project in collaboration with Vietnam. Vietnam, the United 
States and South Korea are beginning to share lessons learned to enhance the technology’s 
applicability.3« 


Vietnam 

The Vietnam Agency for Radiation and Nuclear Safety (VARANS) is the national nuclear 
regulatory body in Vietnam, responsible for over 6,000 radioactive sources currently in use, and 
an additional 1,867 sources that are licensed but not operating.°” 


In 2014, a Category 2 NDT source was lost in Ho Chi Minh City, and was found after 6 days of 
searching, which required extensive emergency response efforts and public resources.?® In the 
following year, a Cobalt source (4,27 mCi) went missing in Vung Tau City. And, in 2016, a Cs-137 
(0,002 Ci) source went missing in Bac Kan. Following these incidents, the government felt an 
urgent need to invest in a tracking system for mobile sources and transportation services, known 
as the Radiation Sources Location Tracking System, or RADLOT.*%? 


RADLOT’s implementation in Vietnam was made possible by the cooperation with the IAEA 
and KINS.*° Ultimately, the tracking system allows licensee and the regulatory body to monitor 
the location and keep track of movement of radiation sources, confirm the dose rate and the 
conditions of the terminals accurately, increasing the level of protection of these sources and 
contributing to enhance nuclear security for the industry.*! 


The tracking system is composed of two basic designs. Firstly, terminals create the mechanical 
design and allow for the system to function and operate. The system was designed to endure 
harsh environmental conditions (including water damage) and be resistant to being 
disassembled.*2 Secondly, the system uses telecommunications infrastructure in Vietnam to 
send real-time information to a Centre Monitoring System (CMS) including the location, dose 
rate, and battery information (which can last more than 10 days).*? The system sends SMS text 
messages and email warnings to the Department of Science and Technology of Hanoi, VARANS, 
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and the participating facility. The tracking system can perform the remote configurations for 
operational parameters of the terminals. As of 2016, the tracking system was in the testing phase 
for mobile sources. The country is looking to track radioactive sources as a method to enhance 
the overall security culture in the country.** 


In the case of Vietnam, the regulator initiated the directive for licensees to implement and use 
tracking technologies, but the cost is transferred to licensees. In May 2017, VARANS issued a 
new directive to delay (24 months) the requirement to implement GPS systems on mobile 
sources because of limited suppliers of the technology and the limited number of devices. *° It is 
currently sole-sourced with the Korean company RADLOT. The tracking system for mobile 
sources is in the testing phase. 


VARANS has outlined the following as requirements for tracking terminals: 
e Mechanical design 
o _—High resistance against harsh environmental conditions 
o Waterproof 
o Working well in high-level radioactive environment 
° Can only be disassembled by special mechanical tools 
e Functions and operations 
fe) Use telecommunications infrastructure in Vietnam 
o _Abattery capacity of more than 10 days, and 
fe) Sends information of projector (as seen in figure 1) to CMS about location, 
dose rate, battery information, being set for operational configuration in 
remote mode: data sending period, and more. 


The following have also been outlined as the requirements for monitoring systems: 
° Design system 
o The server must be built on standards convenient for management access 
and use, 
fe) Displays real-time data, 
o High security. 
e Functions of system 
O Tracking radioactive sources, 
O Sending SMS text message and email warnings to VARANS, DOST, licensee 
facility, 
fe) Providing information history of tracking of terminal, 
fo) Reviewing the activity information of the device (working time, dose rate, 
for example), 
O Can be installed on operating systems: Android, OS, Windows phone, and 
o Performing the remote configuration for operational parameters of 
terminal. 
France 
At the time of this research, the decree for the security of radioactive sources is a shared 
responsibility between |’Autorité de Streté Nucléaire (ASN) and the Ministére de la Transition 
écologique et solidaire (MTES). In France, it is likely that there will be a requirement for real- 
time tracking for Category 2 sources (level B under the IAEA nuclear security guide) in the near- 
future. 
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To ensure the security of such sources, the ASN and the French technical safety organization, 
Institut de Radioprotection et de Streté Nucléaire (IRSN), have begun a pilot project known as 
‘Nuc-Track’ that to provide ‘a secure solution to monitor and track radioactive sources used in 
the industry’, particularly those that are deemed the most vulnerable in Annex I of the IAEA Code 
of Conduct (Category 1, 2 and 3).*° The system is designed to deliver traceable and detailed 
reports on all source movements throughout the country. Nuc-Track is designed to be used in 
the nuclear, industrial and medical industries, particularly during transport. 


Nuc-Track is built into a small black-box device that is embedded and fixed to the packaging of 
the radioactive source.*” Nuc-Track uses a smartphone app for transport to ensure that the right 
device is carrying the right tracker, to enable real-time geolocation of the vehicle, to monitor 
sources by permanent wireless communication, and to use radio communication between the 
driver and the licensee.** In ‘transportation mode’, Nuc-Track works as a tracking system that 
communicates real-time updates with the physical location of the source’s package. If the source 
were to not arrive at its final destination by the pre-programmed arrival time, an alarm would 
be triggered, and the last known position of the source would be sent to the licensee and/or the 
local emergency response forces.*? Nuc-Track system can also be used during storage, and have 
a panic button in case of emergencies.°? Another advantage of Nuc-Track is that it is attached to 
the source’s package, so the technology’s use is more widely applicable and flexible. 


United States of America 

The United States (US) relies on the National Nuclear Security Administration (NNSA) to 
regulate the American nuclear industry. The NNSA works to reduce the global danger from 
radioactive materials and work to ensure effective emergency preparedness and 
responsiveness. 


For the past few years, the Office of Radiological Security (ORS) has been working under the 
Department of Energy on an important initiative with the NNSA. The technology would allow 
licensees the ability to have real-time information about the location of their devices. Looking 
to use alarms and alerts to enhance the security against tampering and theft, the technology has 
the capacity to be adopted by manufacturers worldwide. 


Search and recovery efforts in the United States are currently conducted through a joint effort 
by multiple stakeholders, including but not limited to: the Nuclear Regulatory Commission 
(NRC), the Customs and Border Protection, the Federal Bureau of Investigation, the National 
Guard, and the Department of Energy. A representative from the department of State Health in 
Texas conducted a case study following an event of a lost industrial source in which he concluded 
that the overall cost of recovery efforts was consuming significant resources and required 
extensive cooperation efforts between agencies.5! When a source goes missing, there is a large 
notification process, an incident command center is established, and responders are deployed to 
patrol suspected areas; in some cases a reward can be used to encourage the return of the 
missing source (often around 5,000$).52 


The following is a list of the regulatory requirements in the United States as it pertains to 
tracking technologies: 

e Under Part 10 of the Code of Federal Regulations (CFR): Category 1 sources in 

route must be reported to the NRC, while also using continuous and active 

tracking through a 24/7 communications centre, advanced notification and 
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coordination of transportation routes, and the submission of real-time tracking 
information to the States involved. 

° Under Part 10 of the CFR, Category 2 sealed sources are under constant control of 
the licensee and/or be under surveillance during transportation. Category 2 
shipments are required to have package tracking systems that is documented, 
proven and reliable. 


The United States began a “Transportation Security Pilot Project” in 2009 with the goal of 
“enhancing domestic transportation security to complement enhanced facility security”.>? 
Beginning in 2013, the ORS funded the Pacific Northwest National Laboratory (PNNL) to partner 
with well-logging and radiography industry stakeholders to design and create a tracking system 
for mobile radioactive sources, including cesium-137, cobalt-60, americium-241, and iridium- 
192.54 PNNL has undertaken a series of field pilots to wirelessly and automatically track 
radioactive materials while in transport. The system uses tamper resistant monitors to report 
on the status of sources and incorporates a detection system that can indicate and alert on the 
presence or absence of a source in a container. However, the system remains unable to locate a 
missing source if not inside the container. Though tracking the sources themselves would be 
preferable, the tag would be exposed to high levels of radiation that may hamper and impede its 
function. 


Using Bluetooth, Wi-Fi, and satellite-based GPS tracking, the Mobile Source Transit Security 
System (MSTS) will provide tracking for portable well-logging equipment containing sealed 
radioactive sources including Cs-137 and Am-241 Be.°> In developing the tracking system, the 
ORS worked closely with a number of industry partners, including Baker Hughes and Acuren.°® 
MSTS aids the industry to monitor source inventory, locate the sources and optimize their 
company’s transportation process.®’ The American tracking system also increases safety around 
sources, by using duress alarms, preventing unintended exposures, increasing awareness about 
the source and using source half-life monitoring.*® 


The system tracks the cameras and monitors sources through Persistent Monitoring (PM), 
which can detect the source and its radiation, enable Bluetooth and cellular communication, send 
alerts on the item’s status and location, as well as potentially detect possible tampering.*° 
Notably, the MSTS employs both an “etag,” which is attached directly to the source’s shield and 
includes a “built-in tamper-detection sensor,” as well as an “rtag” used to measure levels of 
radioactivity within the vehicle and thereby detect the source’s presence, which can be seen in 
figure 9 and 10.°° The system can also be utilized inside storage facilities to provide enhanced 
detection and delay against malicious actors.®! In addition, the system can support geo-fencing 
and has a duress alarm capacity.*2. The tracking systems are becoming more readily available 
and affordable in the US. The US was the only nation who has integrated security as a function 
of the container housing the sources. 


Ee 


Figure 9: Example of — Figure 10: Example of an 
an etag rtag 
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2.1 _—_ Lessons Learned from International Practices 

In practice, the countries that have implemented tracking technologies have mostly used the 
devices on vehicles or transport containers. In some countries, the alternative measure for using 
real-time tracking is human controls such as two-person rule, regular communication during 
transport or escort. This research did not look at tracking of international shipments for 
Category 2 and 3 sources. Also, the tracking practices for courier or freight forwarder services 
were not studied. 


In high threat areas and/or in special circumstances, competent authorities may require escort 
for Category 2 and 3 sources. In other situations, it is assumed that this decision is made because 
the telecommunication infrastructure cannot support the tracking technologies (limited satellite 
or cell phone towers/terminals). From a cost perspective having security or human escort can 
provide multiple security functions that elevate the cost related to the use of real-time tracking 
systems. In some countries that rarely transport high risk radioactive sources, it was assumed 
that the most effective option is using escorts, as it is most effective to train, supervise and 
monitor personnel that are in charge of both safety and security during transport. 


Overall, there is no ‘one-size fits all’ solution and the determination to use real-time tracking 
technologies has to be assessed on a case by case basis. Therefore, it’s important to consider the 
threat environment, security vulnerabilities, strategies and the national infrastructure to 
understand the advantages and challenges. 


3. Tracking Technologies 

The IAEA Nuclear Security Implementing Guide (NSS 9) suggests that a graded approach 
should be used when transporting more dangerous radioactive sources, which could include 
tracking technologies.®? There is an assortment of tracking technologies available to consumers 
today, each with their own strengths, weaknesses and costs. In this section, the advantages and 
disadvantages to tracking technologies, as well as their variations, are discussed. 


Advantages 

Using tracking technologies can be beneficial to both the regulator and licensees. The reasons 
listed below argue why some believe tracking systems may have the capacity to lower 
emergency response time. 


According to the WINS/WNTI International Good Practice Guide “Electronic Tracking of the 
Transport of Nuclear and other Radioactive Materials” (Revision 1.0), tracking technologies 
create an added layer of security and deterrence during transportation and decrease the 
likelihood ofa source being lost or stolen.®* Tracking systems can provide instant and automatic 
alerts to incite faster incident response and emergency management capabilities.°> The Good 
Practice Guide also underlines that incident responders would be provided with more precise 
locations of the missing or stolen shipment and whether it is static or in motion, much faster than 
with any other security measures.°° However, the technologies’ precision would be impacted by 
whether it is tracking the vehicle, the device or the device’s packaging. In the event of an 
emergency, tracking technologies can help reduce the cost of the response efforts as the missing 
sources would be more quickly and more easily found. In doing so, national security would be 
bolstered, as missing shipments could be more quickly recovered, minimizing any malicious uses 
of radioactive material at home or abroad.*” 
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Presenting at a WINS workshop in 2015, Raphael Duguay noted that tracking technologies can 
be integrated with other technologies used by the licensee, such as cellphones.®® Tracking 
technologies can be used in land, marine, and rail transport systems.°? Known as geo-fencing, 
they can also be pre-programmed with transport routes, and deviations could set off an 
automatic alarm, improving asset tracking and inventory control across licensee facilities.” 
They also allow for more visibility of assets as they move through the supply chain and minimize 
human error, streamlining business processes.’! However, this could also be considered a 
disadvantage by allowing for adversaries to have greater visibility of radioactive sources. 


The largest, and most evident, advantage brought to licensees and regulators who use tracking 
technologies is the continued situational awareness. 


Disadvantages 
Like any other technological innovation, the implementation and use of tracking technologies 
have encountered some challenges. 


One of the first issues for licensees is the issue of privacy. Many licensees will find that tracking 
technologies impede on the licensee’s freedoms for conducting a business and will allow for an 
excess of government intervention. 


On the technical side, tracking technologies have been criticized as being unreliable. Dr. Roger 
Johnston and Dr. Jon Warner of Los Alamos National Laboratory warn that satellite signals used 
in most GPS applications are not secure, and increase the information security risk.” Many of 
the systems available to the private industry, and much of the federal government, are not 
encrypted or authenticated, making them susceptible to counterfeiting or hacking.’? Licensees 
can go to great lengths to protect their sources by using tracking systems, but without secure 
data encryption, the systems can be less reliable.’ Johnston and Warner also warn that civilian 
GPS systems were not designed nor intended for security applications. They are vulnerable to a 
number of different attacks, from relatively unsophisticated adversaries, including jamming, 
blocking, spoofing and physical attacks.?> When communication signals are lost due to blocking 
or jamming, the GPS based systems may provide an alert when programmed to do so. However, 
spoofing can go unnoticed and undetected.”© As many GPS systems are very user friendly, little 
expertise is needed to use them or counterfeit them.””? Tracking technologies have been 
criticized for creating false positives and triggering unwarranted responses.’® 


One of the main problems associated with the tracking technologies available today is the 
dependency on battery life. Limited battery life can limit the effectiveness of the tracking 
technologies and impair the efficacy of the licensees operations. 


For Canada, it is also important to note that the country’s size, terrain and extreme climates 
could impair the success rates of tracking systems on some components, such as the battery life 
under cold weather. In terms of durability, many tracking systems may not have the battery 
power and field life required to operate in Canada. 


Finally, one of the overarching issues with tracking technologies is related to cost. There are 


costs associated with purchasing, administration, network fees, maintenance fees, spare parts 
and fees related to updating the system. 


50 


Journal of Physical Security 11(1), 36-65 (2018) 


Variations 

The mechanical design of tracking technologies varies. For example, some technologies are 
installed on the vehicle, some use antennae, while others are to be installed on the device. Some 
devices may be given to the driver to control, while some use fibre optic cables to detect any 
tampering or send beacons between satellites and base portals. The technologies’ physical make 
up determines the relative covert or overt nature of the device, as well as whether it tracks 
actively or passively. 


Each variation has its own benefits and challenges. When the device is attached to the package 
or the vehicle, and not the source itself, the technology is then only able to locate the package or 
the vehicle. Additionally, some devices are solar powered and would not be able to be charged 
by the sun should it be stored in the vehicle. Devices that rely on communication networks are 
susceptible to cyberattacks, such as jamming or counter fitting the signal/replaying a valid signal 
(meaconing). Devices that use satellite signals typically use overt antennae that make the vehicle 
more attractive to theft. Evidently, different devices also come with varying price tags; both pay 
per use and lump sum payments are available. 


There are two distinct categories of tracking technologies: passive and active technologies. 
Passive technologies do not operate and update consistently, but rather in the event of an 
incident or malpractice. They use IP locations, 3G/4G and Wi-Fi, third party geolocation service 
providers, and non-location specific IP addresses.’? Active tracking technologies work 
continuously, and typically use a GPS system, Wi-Fi, 3G/4G, and mobile applications (including 
iPhone, Android, and Blackberry) to collect information through firmware or software on a 
computer or wireless device, to locate via GPS chip and/or triangulation using cell towers, and 
through a request response model.®? 


Monitoring of tracking technologies can also be subdivided in two types: hosted and self- 
hosting services. Hosted services receive and store collected data on a server, and the employees 
can view the data from a secure web browser, while self-hosting services allow the companies 
to service the technologies themselves, allowing them to protect the information within their 
own networks and have full control over the data collected and its uses.2! Such communications 
can occur through cell based systems, which use telecommunications to send information from 
base stations to the operators, or GPS based systems, which get information from satellites that 
calculate coordinates to narrow down locations. 


Though radio frequency identification’s (RFID) are commonly discussed with tracking 
technologies, the system has been criticized as being easy for an adversary to spoof because of 
the fixed identification number. Moreover, they are easy to lift, easy to block/jam or counterfeit, 
easy to eavesdrop and easy to spoof from a distance, as much of the software is free and the parts 
are readily available.® 


In 2010, Dr. Roger Johnston and Dr. Jon Warner argued that communication based 
technologies are vulnerable to skimming (reading data off some else’s transponder), sniffing 
(listening in), spoofing (sending false information) and replaying (recording data from one tag 
and playing it back on another).8? Tag based technologies can be cloned; reprogrammed, 
tracked, virus/worm injected or be destroyed.®* In addition, tags and seals are usually visible, 
so are vulnerable to damage, whether accidental or purposeful. 
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Figures 11 through 13 display examples of the varying forms of tracking technologies that are 
commercially available at the time of this writing. 
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Figure 11: Example of commercially available Figure 12: Example of Figure 13: Example of commercially 
tracking technology, Viper SmartStart. commercially available tracking available tracking technology, SPOT 
technology, Mag Guard Satellite GPS Messenger 
Monitoring 


As part of the technological evolution, there are other alternatives licensees can use to track 
sealed sources. For example, smaller licensees who do not have the resources to invest in a 
tracking regime could turn towards using tracking applications on company cell phones typically 
used by drivers during transportation. 


To be more effective, tracking technologies must have improved durability, stronger 
encryption, and be better authenticating locations. Should tracking technologies be used by a 
licensee or a regulator, it must first be determined how the technology will be used, with whom 
the information will be shared, and whether the data will be stored or deleted following its use.®° 


4. Stakeholder Opinion 

A major part of this research project was based on the findings from a stakeholder survey that 
asked both Canadian licensees and international experts a series of questions pertaining to 
tracking technologies. The survey sought to determine the advantages, challenges, cost and 
benefits for the use and implementation of tracking technologies, as reported by Canadian 
licensees. Additionally, the survey looked to explore new tracking technologies that are being 
used, developed and implemented by other IAEA Members States and relevant regulatory 
practices, as reported by the CNSC’s international counterparts. This research was limited by 
the availability of resources, as well as the number of respondents to the survey. 


The survey was distributed by email (with reminder emails send on a monthly basis) and was 
posted on a variety of international forums, including WINS, over a three-month period; 
however, the study was limited by the relatively low number of respondents. The domestic 
survey was distributed to 277 emails and received 91 responses, a 41% response rate. Of the 
responders, 57.3% were already using tracking technologies. The international survey was 
distributed to 256 emails and links to the survey was posted on WINS and on NUSEC. 
Unfortunately, this survey only received 29 responses - an 8.9% response rate. We were 
pleased to see each continent represented in the data. The surveys can be found in the Appendix. 
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No, disagree 
21.43% (18) 


— Yes, agree 
38.10% (32) 


Neovtral 
40.48% (34) 


Figure 14: Domestic responses on whether the 
benefits of tracking technologies have justified 
their costs 


Prior to the surveys completion, it was assumed that tracking technologies would increase the 
security around sources during transportation, thus creating a return on investment. It was also 
assumed that those who already use tracking technologies would have seen cost savings, 
increased security, and enhanced recovery opportunities as the advantages of using and 
implementing such technologies, and that they would see cost as the primary disadvantage to 
using and implementing the technologies. As seen in figure 14, the majority of respondents to 
the domestic survey either agreed that the benefits of tracking technologies have justified their 
cost, or responded neutral. However, 76% of users in industrial radiography stated that using 
tracking technologies did not provide them with any financial benefits, and respondents were 
polarized when asked if the overall benefits justified the costs of the technology and its use. 
Though most responders from industrial radiography noted that they did not get any return on 
investment, those that did (16%) noted that the financial benefits were tied to better compliance, 
a decrease in motor vehicle incidents, vehicle maintenance, insurance fees and reputational 
benefits. The well-logging industry also noted that they do not believe that tracking technologies 
provide other financial benefits (71.4%) and almost have of respondents did not think that the 
overall benefits provided by tracking technologies justify their cost (45.5%). In contrast to the 
polarized answers given by the respondents in the domestic survey, international respondents 
strongly believed that tracking technologies are justified by their costs, as seen in figure 15. 


No, disagree 
3.57% (1) 
Neutral 
14.29%(4) 


Yes, agree 
82.14% (23) 


Figure 15: International responses on whether the 


benefits of tracking technologies have justified their 
costs 
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Many respondents noted that the technology needs to be improved to be made more reliable 
and more secure. Though the new technologies are promising, responders believed that the 
technologies were not mature enough to be implemented. Some vulnerabilities noted by 
responders include: jamming, spoofing, cyber security, security of information, computer 
servers (backdoor information) and privacy versus security issues. 


It is interesting to note that many of the larger licensees noted several more advantages than 
smaller licensees. Smaller licensees, particularly those in remote locations, noted added 
difficulties to implementing tracking technologies. In remote areas, it is difficult to find reliable 
vendors and adequate technology. It is also a financial burden for smaller companies. 


Some licensees were skeptical about the new tracking technologies and some expressed 
concerns that this technology provided a false sense of security. Many current users have issues 
with cost, reliability and the overall maintenance of the system. Other responders were neutral 
and some were optimistic with the evolution of the technology. Some licensees encouraged the 
concept of using security by design. Larger companies mentioned that they got a small return of 
investment but in general tracking system is considered to be an operational cost of doing 
business. 


5. Lesson Learned and Good Practices 


In this research, we explored multiple ways in which nuclear regulators have implemented 
tracking requirements during transport into their regulatory regime. Some countries have 
used a prescriptive approach to make it mandatory and by promoting the use of one specific 
technology or device. Others have used a performance based approach, letting the licensees 
decide which systems or processes works best for their applications. More research using 
cost/benefits analysis would be beneficial for security practitioners. There is a need to 
conduct pilot test in the field and evaluations to demonstrate the capacity and maturity of 
the new emerging tracking technologies and share good practices for effective 
implementation and monitoring. 


New tracking technologies have not been sufficiently tested in Canada. It would be ideal to 
conduct field or pilot tests in a Canadian environment under different weather conditions 
and in different locations. Also, it would be interesting to study how these new technologies 
are able to detect and address jamming and spoofing attacks. The new tracking technologies 
have to demonstrate their maturity and reliability. In order to promote security by design, it 
is important to involve the manufacturers and promote close coordination with stakeholders 
and industry. 


A phased-in approach, in consultation with the industry would be a recommended 
approach with the industry to provide time and proper transition management. In Canada 
for example, the new technologies look promising but retrofitting Category 2 and 3 packages 
would not be a cost-beneficial approach. Any change to the security requirements would 
include consultation with the industry and thorough risk assessment that would include cost- 
beneficial analysis and a privacy impact assessment. 
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Using tracking technologies during transport should be part of the overall transport 
security system. There should be other reliable and redundant forms of communication, 
monitoring and tracking during shipment to provide defence in depth. Proper 
implementation of the technology in the overall transport security management system is 
essential. This includes proper integration with process and procedures, quality assurance 
and preventive maintenance programs, regular testing of devices and proper training of the 
users and personnel. 


This research paper began by exploring general background information about the current 
threat environment, radioactive sources and the Canadian regulatory framework. Having 
established a common framework of understanding, the paper continued by discussing the 
current tracking technologies and regulations being used internationally. The paper then 
debated the advantages and disadvantages of tracking technologies more generally, before 
expanding on the different variations of tracking technologies available. Finally, the paper 
discussed the results of two surveys that were distributed to Canadian licensees and 
international counterparts in an effort to gain both insight on both industry and regulatory 
experience. By structuring the paper in this way, the authors were able to identify several 
lessons learned and good practices, which were discussed above. 
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Appendix A 
Survey 1 


(Licensees) 
The Canadian Nuclear Safety Commission’s Nuclear Security Division (NSD) is seeking to gather information related to 
tracking systems and associated technologies used for transport of radioactive sealed sources in the industrial 
radiography and well logging industries. This project aims to identify the advantages of tracking technologies, as well as 
the challenges, key issues, and costs and benefits associated with implementing them. The information collected will be 
used to share best security practices within the industry. 


As part of this research project, NSD staff is looking for your voluntary feedback. We would greatly appreciate your 
answers to the following questions. 


1. Please identify what kind of licensee or organization your company is classified as. 


Organization using industrial radiography 
Organization using well logging 
Carrier/transportation/freight forwarder 
Manufacturer 
Servicing and/or maintenance company 
Other (please specify) 

2. Where is your facility located? 


3. For what purpose does your company generally use radioactive sealed sources? 
4. How often do you transport high-risk radioactive sealed sources? 


Daily 

Weekly 

Monthly 

Yearly 

Other /not applicable (please specify): 


5. Doyou currently use a type of tracking technology when transporting high-risk radioactive sealed sources? 


Yes; when in transportation, our materials are tracked 
No, we do not currently have a tracking system in place (please explain why your company has not implemented 
tracking technologies) 


*If responder answered “Yes” to question 5, they will be redirected to the questions below 


6. What do you see as an advantage of using and implementing tracking technologies (select all that apply)? 
Cost savings 
Security for detection of unauthorized removal of sealed sources 
Compliance 
Enhanced recovery opportunities for lost or stolen devices 
Enhanced vehicle management 
Other (please specify): 


7. What did you find to be a challenge in implementing/using tracking technologies (select all that apply)? 


Ensuring reliable communication coverage 
Cost 

Battery life cycle 

Ensuring a reliable power supply 
Environment (durability) 

Tampering 

Cyber security 

Other (please specify) 


8. What do you see as a disadvantage of using tracking technologies (select all that apply)? 
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Cost 

Reliability 

Equipment maintenance/repairs 
Other (please specify): 


9. Has the implementation of tracking technologies provided financial benefits to your company? Please explain. 
10. What are the costs associated with implementing tracking technologies? 


11. Do you believe that the benefits of tracking technologies have justified their cost? 
Yes, strongly agree 
Yes, agree 
Neutral 
No, disagree 
No, strongly disagree 


12. Do you have any other feedback on tracking technologies? 


13. Would you be interested in being contacted again about this project? 
Yes (please leave contact information below) 
No 


*If responder answered “no” to question 5, they will be redirected to the questions below 
14. What do you see as an advantage of using and implementing tracking technologies (select all that apply)? 


Cost savings 

Security for detection of unauthorized removal of sealed sources 
Compliance 

Enhanced recovery opportunities for lost or stolen devices 
Enhanced vehicle management 

Other (please specify): 


15. What do you see as a disadvantage of using tracking technologies? 


Cost 

Reliability 

Equipment maintenance/repairs 
Other (please specify): 


16. What do you see as a potential challenge associated with implementing tracking technologies (select all that apply)? 


Reliable communication coverage 
Battery life cycle 
Reliable power supply 
Environment 
Tampering 
Cyber security 
Other (please specify) 
17. Do tracking technologies for radioactive sources create any return on investment or other financial benefits? Please 
explain. 


18. Do you believe that the benefits of tracking technologies could be justified by their added costs? 
Yes, strongly agree 
Yes, agree 
Neutral 
No, disagree 
No, strongly disagree 


19. Please provide your rationale or further comments: Do you have any other feedback on tracking technologies? 
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20. Would you be interested in being contacted again about this project? 
Yes (please leave contact information below) 
No 


Survey 2 


(International Contacts) 


The Canadian Nuclear Safety Commission’s Nuclear Security Division (NSD) is seeking to gather information related to 
tracking systems and associated technologies used for transport of radioactive sealed sources in the industrial 
radiography and well logging industries. This project aims to identify the advantages of tracking technologies, as well as 
the challenges, key issues, and costs and benefits associated with implementing them. The information collected will be 
used to share best security practices within the industry. 


As part of the research project, NSD staff is collecting voluntary feedback from international counterparts who have 
experience with tracking technologies or knowledge on the subject. We would greatly appreciate your answers to the 
following questions. 


1. What type of organization do you work for? 


Regulator 

Licensee or operator 

Technical support organization 

Carriers 

Organization using industrial radiography 
Organization using well logging sources 
Other (please specify) 


2. Country or international organization: 
3. How many years of experience do you have in implementing tracking technologies? 


Less than a year 
From 1 to 2 years 
From 2 to 3 years 
From 3 to 4 years 
From 4 to 5 years 
From 5 to 6 years 
More than 6 years 
Not applicable 


4. Does your country/organization require tracking technology for radioactive sources while they are in transport? 
If so, is active or passive tracking required? Please explain. 
(Note: Passive trackers do not monitor movement in real-time, but receive information, including stops made 
and directions travelled, once it has been downloaded to a computer. Active trackers produce information in 
real-time.) 


Yes (please provide the reference to the requirement in the comment box below) 
No 


5. If so, for which category or categories of sources does your country use tracking technologies (select all that 
apply)? 
Category 1 
Category 2 
Category 3 
Category 4 
Category 5 
Not applicable 
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How are tracking technologies made available to licensees? 


Technology is or will be provided by government/competent authority 
Licensees are responsible for finding the technology to meet requirements 
Unsure 

Not applicable 


What practices are used by the regulator in regards to the information gathered through the use of tracking 
technologies? 


The regulatory body/competent authority has access to the information at all times 

The regulatory body/competent authority has access to the information upon request 

The information is not available to the competent authority unless there is a legitimate reason 
Not applicable 

Other (please specify): 


Has the technology been commercialized? 


Yes 
No 
Not applicable 


What are the costs/challenges associated with implementing tracking technologies? 
What are the costs associated with maintaining tracking technologies? 
What do you see as an advantage of using tracking technologies? Please select all that apply. 


Cost savings 

Security for detection of unauthorized removal 

Enhanced recovery opportunities for lost or stolen devices 
Compliance 

Enhanced vehicle management 

Other (please specify): 


What do you see as a disadvantage of using tracking technologies? Please select all that apply. 
Cost 
Reliability 
Equipment maintenance/repairs 
Other (please specify): 


Do you believe that the benefits of tracking technologies have justified their cost? 
Yes, strongly agree 
Yes, agree 
Neutral 
No, disagree 


No, strongly disagree 


In your experience, was a cost-benefit analysis conducted on the use of tracking technologies? If so, what were 
the results? 


Do tracking technologies for radioactive sources create any return on investment or other financial benefits? 
Please explain. 


Do you have any feedback on tracking technologies that has not been reflected elsewhere in this survey? 
Would you be interested in being contacted again as part of this research project? 


Yes (please leave contact information below) 
No 
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Figure 1: QSA Global 990 Delta Projector. https://qsa-global.com/product/880-delta-series- 


source-projectors/ Accessed on May 25 2018. 
Figure 2: Typical Americium-241/Beryllium well logging source attached to bull plug (2009). 


Retrieved from the Security Guidelines for Well Logging (PSSG 06), Australian Radiation 
Protection and Nuclear Safety Agency. 
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Figure 3: IAEA Reported Stolen, Lost, Missing, Attempted Theft by Category from 2008 to June 
2018 (source: ITDB) 

Figure 4: Truck used to transport industrial radiography materials. Canadian Nuclear Safety 
Commission. 

Figure 5: Transportation of sources occurring in harsh Canadian winter. Canadian Nuclear 
Safety Commission. 

Figure 6: Number of Reported Category 1, 2 and 3 Events involving Lost and Stolen Sealed 
Sources between 1991 and 2016 in Canada. 

Figure 7: RADLOT graphic. Found in IAEA Presentation on Preparedness for Radiological 
Emergency, 2013 GNSSN. PDF Accessed on May 25 2018. 

Figure 8: Successful Korean Initiatives for Strengthening Safety and Security of Radioactive 
Sources, Byong Soo Lee, Korean Institute of Nuclear Safety, RADLOT START-88s. 

Figure 9: Example of an etag. Office of Radiological Security Mobile Source Transit Security 
Presentation, MSTS Overview PDF. 

Figure 10: Example of an rtag. Office of Radiological Security Mobile Source Transit Security 
Presentation, MSTS Overview PDF. 

Figure 11: Example of commercially available tracking technology, Viper SmartStart. Retrieved 
from https://advance.mb.ca/products/viper-smartstart-with-gps on May 25 2018. 

Figure 12: Example of commercially available tracking technology, Mag Guard Monitoring. 
Retrieved from http://www.magguardmonitoring.com/truck security.htm on May 25 2018. 
Figure 13: Example of commercially available tracking technology, SPOT Satellite GPS 
Messenger. Retrieved from https://www.findmespot.ca/en/index.php?cid=102 on May 25 
2018. 

Figure 14: Domestic responses on whether the benefits of tracking technologies have justified 
their costs. Taken from the survey distributed to Canadian stakeholders. 

Figure 15: International responses on whether the benefits of tracking technologies have 
justified their costs. Taken from the survey distributed to international stakeholders. 
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Abstract 

The depiction of firearms in mass media coverage of active/mass shootings begets an 
important question: How do the security and law enforcement experts in charge of 
prevention, mitigation, and response think about firearms? To answer this question, | 
conducted a qualitative content analysis of firearms depictions in post 2010 North American 
instructional training videos that were about active/mass shooters. A sample of 24 videos 
was selected for analysis. This study utilized limited quantitative measures to produce an 
overall picture regarding numerous firearms characteristics as they related to depiction. 
Characteristics were coded into thematic categories, and an overarching analytical theme. 


Overall, this study found evidence that depictions of firearms produced feelings of fear in 
the intended audience. A limited application of Protection Motivation Theory (PMT) was 
invoked as a preliminary explanation for both the nature of the findings and the rationale 
behind such depictions. I conclude with a discussion of the implications for future research 
and the role of expert protection professional involved in the production of instructional 
media 


Keywords: Active Shooter, Mass Shooting, PMT, AR-15, Training, Instructional Media 


Introduction 

The issue of workplace violence gained a new dimension in the late 2010’s with the 
increased prevalence of mass shootings. Fueled by intense media coverage, the tale of 
assault weapons and mass shootings coalesced around a single weapon—the AR-15 rifle, 
proclaimed by the National Rifle Association as “America’s Rifle” and “the most popular rifle 
in America” (Smith, 2016; Lloyd, 2018). An estimated 8 million AR-15’s are owned in 
American to this date (Smith, 2016). 


In 1950, a former US Marine by the name of Eugene Stone patented the first AR-15 rifle. 
Stoner’s company, Armalite, quickly began distributing AR-15’s around the globe. They were 
utilized by the military in the form of the M16A1 assault rifle and marketed to civilian dealers 
as a lightweight, modular sporting rifle suitable for hunting, target shooting, and self-defense 
(Picchi, 2016). Soon, other firearms manufacturers began copying the unique design of the 
AR-15, and within a decade dozens of AR-15 style rifles had emerged on the market, based 
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on the same hinged lower/upper receiver, bolt, STANAG magazine housing, 5.56/.223 
calibre rifling, and modularity design (Smith, 2016). 


Nearly 72 years later, James Eagan Holmes walked into an Aurora, Colorado theatre and 
opened fire with a Smith and Wesson AR-15 style rifle, modified with a 100-round drum 
magazine, killing 12 and injuring 58. What mercifully should have been a one-off incident 
became only the beginning of a long period of bloodshed and spent casings. By 2018 another 
9 incidents involving the AR-15 in mass shootings had occurred, with a record 58 killed 
during the deadliest incident at the Mandalay Bay resort in Las Vegas (Smith, 2016). 


The debate surrounding the AR-15 rifle revolves primarily around its perceived role in 
exacerbating the severity of mass shootings via its popularity, lethality, and modularity. Both 
firearms lobbyists and opponents agree that the AR-15 is an intuitively user-friendly firearm 
with superior stopping power, low recoil, customizability, accuracy, and low weight (Smith, 
2016; Picchi, 2016; Lloyd, 2018). The integrated rail system allows for modular attachments 
such as fore grips, slings, lasers, scopes, and electronic sighting systems designed to increase 
accuracy and ultimately, lethality (Smith, 2016; Picchi, 2016; Cummings & Jansen, 2018). 
The NATO STANAG magazine housing allows for the insertion of aftermarket magazines with 
capacities ranging from 5 rounds in certain locales to 100 rounds in high-capacity drum 
magazines (Cummings & Jansen, 2018,). Although automatic variants are universally 
restricted or outright prohibited, modular devices such as bump stocks to ramp up the fire 
rate do exist and are available on the civilian market (Cummings & Jansen, 2018). 


Research Goals 

The purpose of this research is not to examine the actual prevalence of usage of AR-15 
style rifles in recent mass shooting incidents, nor is it to examine the dominant media and 
political discourse surrounding AR-15 rifles. Rather, the research examines a novel avenue. 
The goal of this study is to describe the firearms used in active shooter training videos and 
explore their depiction. By shifting the focus to instructional videos, I hope to shed some 
light on the depictions of the AR-15 rifle and other firearms as it relates to the perspective of 
law enforcement and security experts who are tasked with mitigating, preventing, and 
responding to active shooters. As such, the nature of the research is descriptive and 
exploratory in nature, being the first of its kind in a novel avenue of study. It is my hope that 
it will set the foundations for further explanatory studies in this area. 


My research question is: How are firearms depicted in post-2010 North-American-based 
active/mass shooter instructional videos? Given my background in physical security & risk 
management, developing a nuanced understanding of how training videos depict firearms is 
crucial to me for purposes of curriculum development and quality control. The process of 
making an active shooter instructional training video is a knowledge-building and sharing 
activity, so discerning the epistemologies and ontologies of its creators is vital for an 
understanding of the depictions in these videos. This necessitated a qualitative approach, in 
order to accurately synthesize, analyze, and interpret the voluminous amount of narrative 
data depicted. 
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Literature Review 

Because the body of academic research regarding firearms portrayals in instructional 
training videos is largely non-existent, this project draws upon the field of empirical 
knowledge gleaned from studies of actual mass shooting incidents and the associated 
instructional media. The purpose of this literature review is to provide context and 
information on the phenomena of mass shootings, as well as to outline the role and layout of 
current instructional training videos. 


Theory played little to no role in this literature review, as a deductive approach using 
theoretical application was deemed unsuitable for such a novel topic. A process of 
generative induction was used to arrive at a proto-theory, consisting of thematic linking of 
the most pertinent and relevant data points regarding firearms depictions in training videos. 
The proto-theory was then augmented and refined via theoretical integration with key 
propositions of Protection Motivation Theory (PMT). (See the Discussion section.) 


Active /Mass Shootings 

The definition of an active/mass shooting is disparate between different agencies. In 
general, it describes an ongoing incident where an individual(s) is actively engaged in 
systematically and indiscriminately killing or attempting to kill multiple persons using 
firearms in a confined and populated area, whether in a public or private setting (Federal 
Bureau of Investigation, 2013, p. 4-5; Lankford, 2016, p. 190; Bonanno & Levenson, 2014, p. 
1). This definition features a plethora of inclusionary and exclusionary criteria. In terms of 
inclusionary criteria, Lankford (2016) suggests that a mass/active shooting must involve the 
use of a firearms and strike random persons without specific targeting (p. 190). In terms of 
exclusionary criteria, the shooting cannot be solely gang, narcotics, domestic, hostage, 
robbery, or assassination related (Lankford, 2016, p. 190). The Federal Bureau of 
Investigation (2013) also excludes from consideration incidents where persons were 
wounded or killed in a public setting by the accidental or inadvertent discharge of firearms 
(Federal Bureau of Investigation, 2013, p. 4-5). 


Active/mass shootings occur disproportionately in North America compared to other 
international locales. By 2016, the US topped the list of mass shooters with 90 total 
offenders, compared to the 10, 11, 15, and 18 offenders from France, Yemen, Russia, and the 
Philippines respectively, with no other country having more than 9 offenders (Lankford, 
2016, p. 192). From 2000 - 2013, an average of 11.4 active/mass shooter incidents have 
occurred annually in the US, for a total of 160 total incidents within a 13-year span (Federal 
Bureau of Investigation, 2013, p. 6). 


The rate of occurrence is accelerating, with 6.4 incidents reported annually from 2000- 
2007 to 16.4 incidents reported annually from 2007-2013 (Federal Bureau of Investigation, 
2013, p. 6). The rate of occurrence for mass shootings further accelerated from 2011-2014, 
from one shooting per 200 days on average since 1982, to 1 shooting per 64 days on average 
in that 3-year span (Peterson, Polland, & Sackrison, 2015, p, 128) Incidents are 
disproportionately distributed by setting, with the bulk (70%) of incidents occurring in 
business and school settings (Federal Bureau of Investigation, 2013, p. 6). Other settings 
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that were targeted include military installations, government infrastructure, public streets, 
healthcare facilities, and religious sites (Federal Bureau of Investigation, 2013, p. 6). 


In terms of firearms, attackers utilized handguns primarily (61%) with rifles or shotguns 
secondary (49%) (Bonanno & Levenson, 2014, p. 2). Particular attention must be paid to the 
involvement of firearms in active/mass shootings. Not only are they an integral part of the 
definition and physical act, but the availability of firearms also has key associations with the 
prevalence of active/mass shootings. Research has consistently demonstrated a strong, 
significant correlation between high firearms ownership rates and death by firearms, 
whether it be homicide, suicide, or a mass shooting (Lankford, 2016, p. 189). 


In terms of armament, the citizenry of the US literally outguns the world, with an 
ownership rate of 88.8 firearms per 100 population (Lankford, 2016, p. 189). Outside of the 
US, several other high ownership nations such as Yemen, Switzerland, Finland, and Serbia 
also exhibit the same strong, significant correlation between firearms ownership rates and 
mass shootings per capita Lankford, 2016, p. 194). The availability of firearms on the legal 
market thus provides an avenue for prospective mass shooters to obtain their armaments. 
Despite the argument that mass shooters are thought to obtain their firearms illicitly, 
research suggests that the majority of mass shooters purchase their firearms through legal 
avenues, as many are identified as lacking the social connections or cognitive abilities to 
procure firearms illicitly (Lankford, 2016, p. 189). 


Instructional Training Videos 

In response to the severe impact and critical threats that active/mass shooter incidents 
pose, law enforcement officials, security practitioners, and various other stakeholders have 
begun implementing training initiatives across the continent for risk management purposes. 
Training is designed to teach safe response and mitigation tactics to civilians who may 
encounter an active/mass shooter (Ford & Frei, 2016, p. 438-439). The intensity, realism, 
and focus of the training varies considerably. On one end of the spectrum is the live-action 
simulation, complete with fake injuries, police, actors posing as shooters, and pyrotechnics. 
On the less vivid end of the continuum are instructional training videos, which can range 
from lectures to the more narrative, scenario-based presentations. These include videos 
such as “Run, Hide, Fight” by the City of Houston, and “Shots Fired: When Lightning Strikes” 
by the Center for Personal Protection & Safety, 2007). These videos are created by LE and 
security consultants for distribution to various organizations, either open-source or for a 
licensing fee (Peterson, et al., 2015, p, 128). By 2018, hundreds of thousands of citizens 
around North America have undergone active/mass shooter response training via these 
training videos (Peterson, et al., 2015, p, 129). 


The apparent effectiveness of the videos as a whole is mixed. Fox & Savage (as cited in 
Peterson et al., 2015) suggest that increase in fear and anxiety after exposure to an 
active/mass shooting training video may not be worth it, given the minimal risk of an 
active/mass shooter scenario occurring (p. 129). They posit that the training videos 
contribute to an unhealthy culture in the organization which it is delivered to, by increasing 
fear, and decreasing positive engagement (Peterson, et al., 2015, p, 129). On the other hand, 
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Ford & Frei (2016) conducted a study of active/mass shooter training videos and found 
positive changes in measures of personal safety, salience, knowledge, and self-efficacy in the 
audience (p. 450). Viewers perceived themselves as being more knowledgeable about 
response procedures, more confident in their abilities, and developed a keener awareness of 
personal safety & security in their environment (Ford & Frei, 2016, p. 450). Peterson et al. 
(2015) found that strong support for the effectiveness of training videos. In their study, 
participants who had watched a training video rated themselves as feeling significantly more 
prepared to respond to an active campus shooter (Peterson, et al., 2015, p, 133 - 135). 
Moreover, the same participants assigned a higher score to the importance of security and 
prevention measures (Peterson, et al., 2015, p, 133 - 135). 


Data Source & Sampling Strategy 

The main source of data for this study came from a qualitative content analysis of firearms 
depictions in 24 post-2010 active/mass shooter instructional training videos from North 
America. Video titles and data about the videos appear in the Appendix. The usefulness of 
the videos was threefold. Firstly, I was able to collect the most chronologically relevant 
videos which were aligned with the occurrences of real-life events, thus increasing 
legitimacy. Secondly, these videos allowed for a higher visual, sound, presentation, and 
content quality compared to pre-2010 videos. Finally, the post-2010 videos ensured a higher 
chance of the video being in a digital format uploadable to public video-sharing websites 
(mp4/wmv as opposed to VCR or 8mm film). 


The North American setting was chosen due to the availability of sources. I hypothesized 
that because North America incurs a disproportionately higher rate of active/mass shooter 
incidents, it would also likely have a higher number of training videos available. Specificity 
of sources was not a concern here. All videos regardless of setting, type, or intended 
organization (school shootings, church shootings, public shootings, etc.) were collected and 
subsumed into a general (active/mass shooter) category for breadth. The study sampled 
around 2 hours of video footage, divided into 24, 5-minute average videos. 


In general, the sampling strategy was purposive, convenient, and non-random. Due to the 
numerous compliance requirements necessitated by the research question (Post 2010's 
videos, NA setting, active/mass shooter, instructional in nature), a stringent set of sampling 
procedures and guidelines was implemented to ensure specificity of data. The sampling 
strategy resulted in a rank-ordered data collection procedure that moved top-down through 
a two-part hierarchy of sources. Sources in the hierarchy and their hosting medium were 
rank ordered according to a 3-part criteria: Visibility in the form of user base size (# of 
unique page hits and views), video-hosting capabilities, and SEO (search engine 
optimization). According to this criteria, the data source mediums were ranked as: 

1. Tier 1: YouTube. YouTube’s high ranking stems from its 1 billion monthly users, 
video-hosting dominance, prominence in North America, and strong SEO (Ribi, 2017). 

2. Tier 2: Google. Google was assigned to tier 2 due to its large user base, search power, 
and content aggregation, but inability to host videos unlike YouTube. Google will be 
utilized to locate videos not hosted on tier 1 and 2 sources. 
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Data Collection & Organization 

Collection of data proceeded top down from tier 1 to tier 2. Starting with tier 1 allows for 
the quick collection of the largest and most relevant amount of data available. Tier 2 serves 
as a contingency in the event that data exhaustion is reached at tier 1 and no further videos 
are available for searching. In that event, tier 2 could be utilized to locate videos not hosted 
on tier 1. However, the data requirements of this study were met solely by using sources 
from Tier 1. A redundancy check was utilized on all sources from tier 1 via a search on tier 
2 and all were found to be dual-hosted, and thus redundant. Further sampling from tier 2 
was unnecessary as over 2 hours of footage comprising 24 videos had already been sampled 
from tier 1. 


Data collection utilized SEO friendly “keyterms”. Keyterms were created based on the 
combination of 1 keyword each from 4 categories: 


yw 


1. Preface keywords: (“active”, “mass”); 
2. Subject keywords: (“shooter”, “assailant” “gunman”) 
3. Instructional keywords: (“prevention”, “mitigation”, “response”, “training”, 


“scenario”) 


The above combination of categorical keywords produced a total of 96 unique searchable 
keyterms. Due to time and resource constraints, as well as in the interest of avoiding 
redundant results, sampling and viewing of videos was restricted to the first page of search 
results as displayed on a standard desktop webpage, for a total of 96 pages perused. 


The logistics of recording and organizing the data was facilitated by entering it in a 
spreadsheet. Overall, the iterative process of data collection and organization took place 
over a period of 24 days, much of which was occurring concurrently with the ongoing 
analysis and interpretation of preliminary results. Microsoft Excel was used due to its ability 
to aggregate large sums of information and retrieve easily for later analysis. In addition, its 
cross-compatibility with PSPP was considered as an asset for further quantitative analysis. 
The spreadsheet had the following columns for purposes of organizing the entered data: 


1. Date sampled: In format YYYY-MM-DD; 

2. Title of video: Copied and pasted directly from its original hosted title; 

3. Publishing organization: Official name of the organization and its type (Law 
Enforcement (LE), Schoo (Educ), or Private Organization (PrivOrg); 

4. Hosting URL: URL of the particular tier the video was sampled from, directly as copied 

and pasted from the browser address bar; 

Views: Numerical count of how many views a video had aggregated; 

Length: Recorded as hrs:min:sec; 

Date published: In format YYYY-MM-DD; 

Type of firearm used: Options as gleaned from sample were: (1) Shotgun, (2) Rifle, 

(3) AR-15 style Rifle, (4) Handgun, (5) Submachinegun, (6) Toy/Prop, or (7) None 

depicted; 

9. Specific make & model of firearm: Determined via personal knowledge and recorded 
as-is. Unknown firearms were recorded as “Unknown”. Videos with no firearms 
depicted were recorded as “N/A”. 


Sires 
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Coding Scheme 

The general purpose of the coding scheme was to assign and ascribe meaning to the 
depictions of firearms seen in the instructional videos. I created descriptive codes through 
assigning labels of physical description to the firearms depicted. These codes comprised of 
the following: 


1. Legal Canadian Firearms Classification: Determined via the criteria from the federal 
Firearms Act as well as Part III of the Criminal Code (RCMP-GRC, 2013). Coded as 
either (1) Non-restricted, (2) Restricted, (3) Prohibited, or (4) N/A. 

2. Firearms action: The specific mechanism by which the firearm operates. Coded as 
either (1) Manual-action (encompasses pump, bolt, and lever actions), (2) Semi- 
automatic (1 shot per trigger pull), (3) Automatic (multiple shots per trigger pull) and 
(4) N/A; 

3. Color: The primary colors of the firearm(s) depicted. Coded as either (1) Only 
black, (2) Black / X, (3) Other than black, and (4) N/A; 

4. Overall length: The length of the firearm from the tip of the barrel to the end of the 
stock or grip. Coded as either (1) Short, (2) Medium, (3) Long, or (4) N/A. 

5. Modifications: Changes to the structure of a firearm, either through alteration (e.g. 
sawing short a barrel), or attachments (e.g. adding on a fore grip and extended 
magazine. Coded as either (1) Yes - with descriptions of the modifications, (2) No, or 
(3) N/A. 


From there on, the process became iterative; I constantly backtracked, deleted, modified, 
and added to my existing descriptive codes until certain general categorical codes emerged. 
Categorical codes were constructed logically as an arithmetical amalgamation of two or more 
descriptive codes. The categorical codes began to form a typology of firearm depictions that 
began to use more value and emotion laden words such as “tactical”, “concealable”, and 
“assault”. Each depiction of a firearm in the videos could fall into multiple combinations of 
categorical codes. The assorted categorical codes are as follows: 


1. Concealed weapon = Descriptive code: LENGTH ("Short" OR "Very Short"). 

2. Tactical = Combination of descriptive codes: COLOR ("Black" OR “Black/X”) + 
MODIFICATION ("Yes") 

3. Assault Weapon = Combination of descriptive codes: FIREARM ACTION ("Automatic 
OR "Semi-Automatic") + TYPE OF FIREARM USED ("AR-15 style rifle" OR "Machine 
gun" OR "Submachine gun" OR "Machine Pistol") 

4. Civilian = Combination of descriptive codes: LENGTH ("Long") + MODIFICATIONS 
("No") + LEGAL CLASSIFICATION ("Non-restricted") + FIREARM ACTION ("Bolt 
Action" OR "Pump Action" OR "Lever Action"). 


Finally, the 3 dominant categorical codes that emerged were scrutinized for latent 
meaning and gave rise to a single overarching analytical code. The analytical code captured 
a broader range of meaning beyond mere physical description, frequencies, or categories. 
The goal of the analytical code was to capture the full spectrum of what manifest and latent 
characteristics encompassed the depiction of a particular firearm, and how it was associated 
with creating meaning, emotions, and perceptions in the viewers. The resultant analytical 
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code is presented, explored and analyzed in the Results & Analysis section of this study. As 
well, it gave rise to a proto-theory which was later integrated with PMT in an inductive, 
theory-generative process. (See the Discussion section). 


Research Process 

A decision was made to employ a mixed-methods approach, using a secondary quantitative 
and primary qualitative methods sequentially in the above-noted order. In order to create 
interpretations and assign meaning to my data in the qualitative phase, I had to first 
synthesize and prune it. Therefore, an initial primer quantitative component that provided 
a broad overview of my data was designed to serve as the foundations for more in-depth 
qualitative inquiry, serving as a form of methods triangulation. The quantitative portion 
largely consisted of descriptive statistics such as frequency counts of the descriptive codes 
and visuals. Overall, its purpose was to present, describe and summarize the data collected. 


The overall goal of the initial, secondary quantitative component was to identify the 
specific issues that required further in-depth exploration and description. The subsequent 
qualitative component then consisted of an in-depth, line-by-line content analysis of both my 
categorical codes and analytical code in terms of manifest meanings (via the dictionary 
definitions) and latent, constructed meanings (via subjective interpretation and 
contextualization). The purpose was to identify themes, categories, and patterns, as well as 
contrast similarities and differences in the data. 


The analysis was framed in the context of the significant relationships found during the 
quantitative component, thus serving as a form of data triangulation. Utilizing a mixed 
methods approach allowed me to create complementarity in two ways. Firstly, the 
quantitative component allowed me to gain a broader, macro level view of firearms 
depictions. From this, I was able to focus on areas of interest for my qualitative inquiry. 
Secondly, the qualitative component allowed me to clarify and give meaning to the 
relationships revealed in the quantitative component. From the ground up, the 
complimentary process of a mixed-methods approach allowed me to generate a proto- 
theory, which would later be integrated with propositions from a formal theory to explain 
the research results. 


Ethical Considerations 
The relevant ethical guidelines from SFU’s University Research Ethics Review (R 20.01) 
are as follows: (Simon Fraser University, 1992) 
“7.3 Research that relies exclusively on publicly available information does not 
require ethics review when: a). the information is legally accessible to the public and 
appropriately protected by law; or b). the information is publicly accessible and there 
is no reasonable expectation of privacy.” 


Most of the active/mass shooter training videos accessible online on video-sharing 


websites are of a public scope and explicitly intended for public use and dissemination, thus 
nullifying any reasonable expectations of privacy. It was reasonably assumed that all actors 
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depicted in the media gave informed consent to its publishing and eventual distribution for 
a brevity of purposes, as opposed to specified purposes. If a video explicitly stated that it 
should only be used for a particular purpose that excludes research, it was omitted from this 
study. If a video explicitly stated that it should not be used for research purposes, it was 
omitted from this study. 


Collection and analysis of the 24 videos sampled remained protected and within the 
provisions of the relevant laws. This reasonably satisfies the requirements in provision 
7.3(a) and 7.3(b). However, there was a need to consider the ethical principle of minimal 
harm with respect to the imagery and scenes depicted in the videos. Many of the videos 
provided disclaimers with regards to the simulated violence, injuries, and casualties they 
depicted. Objectively, this content is likely to be upsetting emotionally to a variety of 
persons. However, in the case of this study, the only individual who was directly exposed to 
these videos was myself, and I already have been involved in program delivery for active 
shooter mitigation, and thus has previous exposure to this content. The risk of subjective, 
individual harm was extremely negligible, foreseeable, and appeared to produce no ethical 
issues throughout this study. 


Results 

This study collected data from and analyzed a total of 24 active/mass shooter instructional 
training videos. The publication date ranged from October 2013 to May 2018. The average 
runtime of a video was 00:07:14 with a total runtime of 02:23:51 for all 24 videos summed. 
With regards to the producer, the majority (13 videos) were created by an educational 
agency (54.17%). A total of 6 videos (25.00%) were created by a government / law 
enforcement agency, and 5 (20.83%) were created by private organizations (figure 1.0). The 
average number of views per video was 515549.50, with a range 2097.00 - 7134566.00 and 
asum of 12373188.00 views total (figure 1.1). A net of 27 depictions of firearms were noted 
to be contained within 24 videos. 


Figure 1.0: Producer of Sampled Videos 


Value Label Value Frequency Percent Cum 
Percent 
Law Enforcement 1.00 6 25.00 25.00 
School 2.00 13 54.17 79.17 
Private 3.00 5 20.83 100.00 
Organization 
Total 24 100.0 
Figure 1.1: View Count of Sampled Videos 
Variable N Mean Range Minimum Maximum 
Views 24 | 515549.50 | 7132469.00 {2097.00 7134566.00 
Variable Sum 
Views 12373188.00 
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Quantitative Analysis 

Handguns were the largest proportion of firearms depicted in the training videos at 44%, 
whether depicted as being used as a primary weapon or a backup secondary. The AR-15’s 
frequency of depiction fell behind the shotgun, at 14.81% vs. 18.52% respectively. (See 
figure 2.0). Very little in the way of civilian style rifles (3.70%) or fully automatic military- 
style submachine guns were depicted (3.70%). Overall, a total 23 firearms were depicted 
with 4 (14.81%) cases being devoid of depictions. 


Figure 2.0: Frequency Count of Firearms Type 


Value Label Value Frequency Percent Cum Percent 
Shotgun 1.00 5 18.52 18.52 
AR15 2.00 4 14.81 33.33 
Rifle 3.00 1 3.70 37.04 
Submachinegun _ /4.00 1 3.70 40.74 
None Depicted 5.00 3 11.11 51.85 
Prop/Toy 6.00 1 3.70 55.56 
Handgun 7.00 12 44.44 100.00 
Total 27 100.0 


The bulk of the firearms (44.44%) depicted in the training videos were classified as 
restricted firearms under the Firearms Act. Prohibited firearms and non-restricted firearms 
were equal in representation at 18.52% each. 


Figure 2.1: Frequency Count of Canadian Legal Firearms Classification 


Value Label alue Frequency Percent Cum Percent 
Non-Restricted {1.00 5 18.52 18.52 
Restricted 2.00 13 48.15 66.67 
Prohibited 3.00 5 18.52 85.19 
Non Applicable 4.00 4 14.81 100.00 

Total 27 100.0 


A large majority (62.96%) of the firearms depicted were semi-automatic in action, 
discharging 1 bullet per trigger pull. Relatively few (14.81%) firearms were depicted 
that utilized manual actions such as bolts, levers, or pumps. Only avery small proportion 
(7.41%) of firearms were depicted to be fully automatic. (See figure 2.2). 


Figure 2.2: Frequency Count of Firearms Action 


Value Label Value Frequency Percent (Cum Percent 
Manual Action 1.00 4. 14.81 14.81 
Semi-Automatic 2.00 17 62.96 ‘77.78 
Automatic 3.00 2 7.41 85.19 
Not Applicable 4.00 4 14.81 100.00 

Total 27 100.0 
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Slightly over half of the firearms depicted were either solely black in color (55.56%) or 
were a mixture of black and some other color (25.93%). Very few (7.41%) firearms were 
depicted to be primarily based on another color entirely. (See figure 2.3). 


Figure 2.3: Frequency Count of Firearms Color 


Value Label Value Frequency Percent Cum Percent 
Only Black 1.00 15 55.56 55.56 
Black and Other 2.00 rd 25.93 81.48 
Other than Black 3.00 2 7.41 88.89 
Not Applicable 4.00 3 11.11 100.00 
Total 27 100.0 


More than half (55.56%) the firearms depicted were coded as short in length (concealable 
under a long jacket), while just a very small proportion (7.41%) was determined to be long 
in length (requiring at least a 40-inch gun case or bag to conceal). (See figure 2.4). 


Figure 2.4: Frequency Count of Firearms Length 


Value Label Value Frequency Percent Cum Percent 
Short 1.00 15 55.56 55.56 
Medium 2.00 6 22.22 77.78 
Long 3.00 2 7A1 85.19 
NotApplicable  |4.00 4 14.81 100.00 

Total VAN, 100.0 


A third (33.33%) of all firearms depicted were determined to have been modified in some 
shape or fashion. Observed modifications included collapsible stocks, extended magazines, 
and holographic sights, laser aiming tools, fore grips, slings, shortened barrels, and pistol 
grips. However, over half (51.85%) of the firearms depicted appeared to be in stock 
configuration and did not have any discernable modifications. (See figure 2.5). 


Figure 2.5: Frequency Count of Firearms Modifications 


Value Label Value Frequency Percent Cum Percent 
Yes 1.00 9 33.33 33.33 
No 2.00 14 51.85 85.19 
Not Applicable 3.00 4 14.81 100.00 
Total 27 100.0 


Overall, the quantitative analysis indicates that the dominant depiction of firearms used in 
active/mass shooter instructional training videos in terms of descriptive codes are 
restricted, semi-automatic, black, short handgun in their stock configuration, although 
modification are also likely. It is worth noting that 18.81% of the sampled training videos 
either did not depict any firearms, or utilized a toy prop. 
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In terms of categorical codes, the frequencies are as follows: 

1. Concealed weapon - 15 cases. 

2. Tactical - 8 cases. 

3. Assault Weapon - 5 cases 

4. Civilian - 2 cases 

5. Combination of 2 or more of categorical codes 1-3: 9 cases. 
Thus, the dominant depiction of firearms used in active/mass shooter instructional training 
videos in terms of categorical codes are concealed, tactical, assault weapons. 


Qualitative Analysis 

The qualitative results were gleaned from a word-by-word analysis of the categorical 
codes via extrapolation from their dictionary definition and definitions of related 
word/phrases as suggested by Merriam-Webster online dictionary. Keywords from the 
direct quotes that were used to assist with the thematic construction of the analytical code 
have been underlined: 


1. Tactical: “of or relating to combat tactics: such as a (1) : of or occurring at the 
battlefront (a tactical defense), (a tactical first strike); (2) : using or being weapons or 
forces employed at the battlefront (tactical missiles) 

2. Assault Weapon: “any of various automatic or semiautomatic firearms; especially: 
assault rifle.” 

a. Assault Rifle: “any of various intermediate-range, magazine-fed military rifles 
(such as the AK-47) that can be set for automatic or semiautomatic fire; also: a 
rifle that resembles a military assault rifle but is designed to allow only 
semiautomatic fire.” 

3. Concealed Weapon: “a dangerous weapon so carried on the person as to be knowingly 
or willfully concealed from sight usually in violation of statute.” 


Combining the categorical codes, the highlighted keywords derived from their dictionary 
definitions, and the previous dominant descriptive codes leaves us with the following 
analytical code: 


A. The depiction of firearms in active/mass shooter instructional videos is a military 
style, combat-assault oriented, magazine fed, semi-automatic, black, restricted by law 
and statute, modifiable, and concealable weapon. 


The findings suggest that there is a consistent theme of military/combat friendly language 
that frames the use and depiction of firearms in terms of being killing implements, even in 
consideration of their myriad other applicable uses. The words are “fear” laden words. 
When framed in the context of shootings and firearms, words like “dangerous”, “assault”, 
“strike”, “black”, “concealed”, “military” are often utilized to describe the lethality or 
seriousness of the situation. This is an inherently fear- and anxiety-provoking situation. 
Consider how often a military grade firearm is painted a bright, pastel color. Consider how 
often civilians utilize the words “dangerous” and “assault” to describe the activity of target 
shooting. To put it in perspective, consider the alternative interpretation of the analytical 
code: 
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B. The depiction of firearms in active/mass shooter instructional videos is a civilian 
style, sporting oriented, bolt action, wood colored, unrestricted by law and statute, 


unmodifiable, and unconcealable tool. 


The former nomenclature is intuitively more threatening, provocative, and inspires more 
feelings of anxiety, apprehensiveness, and fear compared to the latter. The firearm described 
in B is perceived to be less lethal, dangerous, and dangerous than the one in A. 


Combining some of these elicited subjective feelings into the analytical code produces a 
more refined, rich, and thick description: 


A. The depiction of firearms in active/mass shooter instructional videos is a military 
style, combat-assault oriented, magazine fed, semi-automatic, black, restricted by law 
and statute, modifiable, and concealable weapon designed to elicit fear, anxiety, and 
apprehension through its lethality and ability to kill quickly. 


Despite this improved description, there were a few outliers in the data. For instance, a 
relatively low proportion of the videos depicted prohibited firearms, automatic firearms, or 
AR-15 style rifles, despite their perceived higher lethality and shock value. However, this 
finding can be explained as a function of the video-creating agency’s experience and 
preference. Given the scenario-based context that the training video is created in, security 
and law enforcement practitioners may aim to depict particular firearms with a frequency 
corresponding to their real-life prevalence. 


In North America, the prohibited status of automatic firearms under both the Canadian 
Firearms Act and the US Federal Assault Weapons Ban of 1994 severely limits the amount of 
these firearms available in both countries. Hence, it would be unrealistic to utilize depictions 
of prohibited automatic firearms in training videos (Lloyd, 2018). 


Discussion 

The question remains: Why do active shooter instructional videos depict firearms in the 
aforementioned manner? Why is it beneficial for depicted firearms to elicit feelings of fear, 
anxiety, and apprehension from a training standpoint? In order to approach the questions 
from a practical standpoint and obtain the root cause, we must work backwards and theorize 
from the perspective of the individuals/organizations who created the videos. That is, we 
must theorize about the intentions and rationale guiding the content creators. The question 
then becomes: What benefit do physical security and law enforcement experts derive from 
depicting firearms as we have found? 


To answer this question, we will apply certain propositions of Protection Motivation 
Theory (PMT) to the results we have obtained thus far to arrive at an explanation. The 
central proposition of PMT is that the effectiveness of an individual’s response to a threat is 
contingent on their ability to utilize fear as a negative stimulus for motivation purposes 
(Ford & Frei, 2016, p. 439). As it pertains to this study, PMT explains the mechanisms that 
motivate individuals to act in defense of their own safety and security when subjected to 
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fear-based messages (Ford & Frei, 2016, p. 439). The process of protection motivation is 
composed of three stages: 
1. Evaluation: The person under threat evaluates the information available and known 
to them; 
2. Appraisal: The person judges the severity of the threat and their own ability to 
manage it; and 
3. Response: Depending on the degree of motivation garnered, the person decides to 
either respond effectively or ineffectively (Ford & Frei, 2016, p. 440). 


Therefore, one of the salient implications of PMT is that differing degrees and 
characteristics of fear based stimulus will have disparate effects on the effectiveness of 
motivation and protection-seeking responses (Ford & Frei, 2016, p. 440). In the context of 
this research, PMT posits that some videos will have higher educational value in terms of: 

1. Knowledge retention: Training videos that induce the correct degree/type of fear will 
produce a higher rate of learning retention among viewers and; 

2. Motivation: Training videos that induce the correct degree/type of fear will motivate 
a higher proportion of viewers willing to take more serious consideration for their 
safety. 


One of the variables within PMT that has strong implications for the depiction of firearms 
in training videos is the concept of message characteristics. Regardless of the medium, 
messages that contain or invoke emotional, evaluative, or prescriptive content are more 
likely to be accepted, shared, and remembered (Ford & Frei, 2016, p. 441). The particular 
way a message or an entity within the message is framed has key implications for its 
persuasive capabilities (Ford & Frei, 2016, p. 441). The combination of emotional, 
evaluative, and prescriptive content of the active/mass shooting training videos contributes 
to the effectiveness of the message characteristics. 


The link between message characteristics and the motivating qualities of fear is accounted 
for by the concept of message framing. Message framing refers to when the meanings of 
disseminated messages are contextualized with regards to the verbiage and descriptions 
used (Ford & Frei, 2016, p. 442). Studies show that when instructional messages are framed 
using fear-inducing words and descriptions, individuals are motivated to change their 
behaviour to be consistent the intended and communicated message (Ford & Frei, 2016, p. 
442). That is, when the message characteristics invoke the correct degree and type of fear, 
individuals who watch the training videos have a higher likelihood of being motivated to 
watch and listen, learn and remember, and be more willing to respond. 


Therefore, when taken as a whole, the message characteristics of my analytical code with 
regards to the depiction of firearms in training videos can be framed in terms of: 
1. Emotional content: Words that are heavily emotion-laden or invoking include 
“fear”, “anxiety”, “kill”, “assault”, “combat”. 
2. Evaluative content: Words that assist a viewer with assessing the severity of the 
situation include “concealable”, “lethal”, and “modifiable”. 
3. Prescriptive content: Words that delineate what the viewer should expect include 


“magazine-fed”, “semi-automatic”, “black”, and “restricted”. 
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It therefore becomes apparent that there is some theoretical basis for the current depiction 
of firearms in instructional media, regardless of whether or not the creators are aware of the 
utility of PMT and message characteristics and framing. In general, security and law 
enforcement practitioners may derive some real benefit in terms of increased knowledge 
retention and response motivation in their audience by depicting firearms in the form of 
fear-inducing content. The application of PMT provides a plausible explanation as to why 
such a depiction would be advantageous and desirable. 


Limitations & Weaknesses 

There are limitations and potential problems with to this study. Generalizability is limited, 
with regards to both setting, geography, and law (Barbieri & Connell, 2015, p. 40). Although 
the research question examined all settings of active shooter training videos, the videos 
available for sampling were overwhelmingly based on a school context. Because all videos 
sampled were from a North American locale, the study’s results are precluded from 
extrapolation to international locales. Finally, the study had to find a middle ground between 
the disparate firearms laws in North America, mainly between the US and Canada. Settling 
on the Canadian Firearms Act as a classification of firearms legal status may have skewed the 
results in favour of firearms depictions as “restricted’, given that the US has no such 
regulations against handguns or AR-15 style rifles. Further research should utilize Lambda 
analysis to examine if the above variables had any significant association with the firearms 
depiction’s outcomes of interest. 


This study also faced a few weaknesses with regards to reliability and validity. Althougha 
stringent sampling procedure was implemented, due to time and resource constraints, a 
convenience/purposive sampling method turned out to be the best option. A more 
comprehensive and stringent sampling method may have resulted in a different dataset 
being obtained. As such, it is impossible to determine if the videos sampled in this study are 
considered to be the gold standard in active/mass shooter training videos. 


Complicating matters is the fact that the production quality, length, message, and 
instructions delivered in each video are disparate. Moreover, there is no unifying or industry 
standard for what is considered to be the best practice in active shooter training video 
creation. Future studies should add and refine the evaluative criteria for sampling inclusion. 
This would improve consistency and confidence in the generated results. 


Another source of reliability issues stems from the lack of inter-coder reliability (Barbieri 
& Connell, 2015, p. 40). Data in this study was collected, coded, categorized, and analyzed 
by one individual. As a result, there is a higher chance that the results of the data are skewed 
towards one preferred paradigm, analytical method, or interpretation. 


Theoretical validity is also a concern. Because the research in this specific area is scant, 
this study was forced to extrapolate some assumptions and theoretical basis from other 
studies. The applications of PMT with regards to active/mass training videos in Ford & Frei’s 
(2015) study applied primarily to a university campus population. It is unknown if the 
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results would generalize accurately to a different setting or population. Furthermore, Ford 
& Frei’s (2015) findings regarding the efficacy of PMT did not specify the firearm depiction 
to be a variable under consideration. More research is needed on the psychological 
processes through which firearms generate feelings of fear. This highlights the necessity for 
further empirical experimentation and explanatory research in this area, building on the 
descriptive and exploratory nature of this study. 


Conclusion & Further Directions 

This study has found that a large proportions of active/mass shooter training videos favor 
depictions of firearms as black, concealable, magazine fed, military, assault-styled, semi- 
automatic, restricted, modified handguns, which is largely congruent with the media focus. 
My further exploration of the depictions found that most of these characteristics were fear- 
inducing. Limited explanatory research and theoretical application suggests a nexus for the 
usage of PMT as an explanation of motivational mechanism. Assuming the theory holds, the 
reason behind the current frightening depiction of firearms in training videos lies in the 
utility of fear as an effective message characteristic and framing. 


Future research should aim for “setting triangulation” between the following: depictions 
of firearms in active shooter training videos; the dominant discourse pertaining to firearms 
depictions in mass media coverage of active shootings; and real-life usage of firearms in 
active shootings. This would allow for the highest degree of validity with regards to the 
depiction of the phenomena. It is also important to recognize that the application of PMT is 
tentative and exploratory in nature, rather than strictly explanatory. Until a randomized 
(and likely unethical) experiment can be conducted where groups watch separate training 
videos with differing levels of fear inducing firearms depictions and are subjected to an 
active/mass shooting, there is no way assessing the validity of PMT as it applies to overall 
training effectiveness. 


Despite its limitations, this study provides value as a pioneer in under-researched field 
examining a new object of inquiry. Given the discourse regarding firearms control and 
violence in North America, it becomes critical for protection practitioners to stay abreast of 
the latest trends, threats, and practices. This study challenges experts to reconsider “what 
works” and “why” with regards to the choice of firearms they depict in their instructional 
media. An examination of threat as deadly as mass shootings warrants nothing less than the 
highest degree of reliability and validity in research. To do less is to put lives at indirectly at 
risk. 
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Appendix - Videos Analyzed 


(1) Date Sampled 

(2) Title of Video 

(3) Publishing Organization Name & Type 
(4) Hosting URL 

(5) Views 

(6) Length 

(7) Date Published 

(8) Type of Firearm Used 

(9) Specific Make & Model 

(10) Descriptive Code: Legal Classification 
(11) Descriptive Code: Firearm Action 
(12) Descriptive Code: Color 

(13) Descriptive Code: Overall Length 
(14) Descriptive Code: Modifications 

(15) Categorical Codes 


Video 1 

2018-JUL-02 

Active Deadly Threat: Are you Prepared? 
Vancouver Police Department (LE) 

https: //www.vyoutube.com/watch?v=NpRRavbLvxXg&t=40s 
22977 

7:59 

2018-MAY-23 

Shotgun 

9. Serbu Super Shorty 

10. Prohibited 

11. Pump-Action 

12. Black 

13. Short 

14. YES - Foregrip, pistol grip, short barrel 
15. Concealed weapon; Tactical 


SONAMPWNE 


1. 2018-JUL-02 

2. RUN, HIDE, FIGHT: Surviving an Active Shooter Event 
3. City of Houston Police (LE) 

4. https://www.youtube.com/watch?v=5VcSwejU2D0 
5. 7134566 
6 

7 

8 


5:55 

2017-FEB-14 

Shotgun 

Mossberg 500 

10. Non-Restricted 

11. Pump-Action 

12. Black 

13. Short 

14. YES - Flashlight, pistol grip, short barrel 
15. Concealed weapon; Tactical 


so ¢ 


Video 3 
1. 2018-JUL-02 
2. SURVIVING AN ACTIVE SHOOTER LA County Sheriff 
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Video 4 


so 


Video 5 


Los Angeles Mission College (Educ) 
https://www.youtube.com/watch?v=- 7SesGK 5w 
157150 

9:22 

2015-OCT-30 

Rifle 

Ruger Mini-14 


. Non-Restricted Semi-Automatic 
. Black 

. Medium 

. YES - Extended magazine 

. Tactical 


2018-JUL-02 
20 to Ready: Active Shooter 
KBYUEleven (PrivOrg) 


https: //www.youtube.com/watch?v=aPOPH_ xtmQk 


665057 

5:11 
2017-JUL-27 
Handgun 
Berretta 92S 


. Restricted 

. Semi-Automatic 

. Black 

. Short 

. NO- None 

. Concealed weapon 


2018-JUL-02 

Missouri S&T: How to survive an active shooter 
Missouri S&T Campus (Educ) 

https: //www.youtube.com/watch?v=BPQpj k F1l4 
40168 

4:55 

2017-FEB-09 

AR-15 style Rifle 

Daniels Defence AR-15 


. Restricted 

. Semi-Automatic 

. Black 

. Medium 

. YES - Holo sight, foregrip 
. Tactical; Assault weapon 


2018-JUL-03 
SAUSD Run Hide Fight (Elementary School) 
Santa Ana School Police (LE) 


https://www.youtube.com/watch?v=R6YjDmAnafQ 


27574 
11:24 
2017-MAR-01 
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Video 7 


so 


Video 8 


0. 


Handgun 
FMK 9C1 


. Restricted 

. Semi-Automatic 

. Blue & Black 

. Short 

. NO- None 

. Concealed weapon 


2018-JUL-03 

How to Survive an Active Shooter 

Chabot College (Educ) 

https: //www.youtube.com/watch?v=QrMhyk6zBfo 
66336 

7:28 

2017-JUN-30 

AR-15 style Rifle; handgun 

Armalite AR-15, Sig Sauer P226 


. Prohibited; Restricted 

. Automatic Semi-Automatic 

. Black /Black 

. Medium; Short 

. YES - Extended magazine / NO - None 
. Tactical; Assault weapon; Concealable 


2018-JUL-03 

CareerSafe School Active Shooter Safety Video 
CareerSafe (PrivOrg) 
https://www.youtube.com/watch?v=mkT_skNII20 
169692 

4:42 

2013-OCT-3 

Shotgun 

Remington 870 


. Non-Restricted 
. Pump-Action 

. Black 

. Long 

. NO - None 

. Civilian 


2018-JUL-03 
Surviving an Active Shooter 
Ohio State University (Educ) 
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https://www.youtube.com/watch?v=9Z9zkU--FLQ&t=1s 


133411 

6:00 

2015-SEP-23 

Handgun 

Unknown 

Restricted Semi-Automatic Silver Very short 


NO - None Concealed weapon 
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Video 10 
1. 2018-JUL-03 
2. Shooter On Campus: Know You Can Survive 
3. Concordia University of Edmonton (School) 
4. https://www.youtube.com/watch?v=zQ3U9boa6Xg 
5. 224834 
6. 8:09 
7. 2014-JUN-3 
8. AR-15 style Rifle 
9. Norinco CQ-A1 
10. Restricted 
11. Semi-Automatic 
12. Black 
13. Medium 
14. YES - Laser, holo sight, foregrip 
15. Tactical; Assault weapon 
Video 11 
1. 2018-JUL-04 
2. Surviving an Active Shooter Event - Civilian Response to Active Shooter 
3. Texas State University (School) 
4. https://www.youtube.com/watch?v=j0It68YxLQQ 
5. 561868 
6. 11:33 
7. 2015-FEB-10 
8. Shotgun; handgun 
9. Benelli M4; Glock 17 
10. Non-Restricted; Restricted 
11. Semi -Automatic; Semi-Automatic 
12. Black/Tan & Black 
13. Medium; Short 
14. YES - Folding stock, pistol grip / NO-None 
15. Tactical; Concealed weapon 
Video 12 
1. 2018-JUL-04 
2. Surviving an Active Shooter 
3. OCS Training Team Productions (PrivOrg) 
4. https://www.youtube.com/watch?v=zpUIXIw0f6c 
5. 33061 
6. 12:46 
7. 2016-SEP-16 
8. Submachine gun 
9. CS VZ61 Skorpion 
10. Prohibited 
11. Automatic 
12. Gunmetal & Wood 
13. Short 
14. YES - Folding stock 
15. Concealed weapon; Assault weapon; Tactical 
Video 13 
1. 2018-JUL-04 
2. Options for Consideration Active Shooter Training Video 
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3. US Department of Homeland Security (LE) 
4. https://www.youtube.com/watch?v=pY-CSX4NPtg&t=23s 
5. 61938 
6. 7:52 
7. 2017-JUL-28 
8. None depicted 
9. N/A 
10. N/A 
11. N/A 
12. N/A 
13. N/A 
14. N/A 
15. N/A 
Video 14 
1. 2018-JUL-04 
2. ACTIVE SHOOTER 
3. Doctors Community Hospital (PrivOrg) 
4. https://www.youtube.com/watch?v=8yWPnbuGNh4&t=167s 
5. 377388 
6. 11:01 
7. 2015-MAR-3 
8. Handgun 
9. Unknown 
10. Restricted 
11. Revolver 
12. Black 
13. Short 
14. NO - None 
15. Concealed weapon 
Video 15 
1. 2018-JUL-04 
2. Auburn University Active Shooter Response Training 
3. Auburn University (Educ) 
4. https://www.youtube.com/watch?v=7FpBeL VVTs 
5. 2097 
6. 8:34 
7. 2018-FEB-26 
8. Handgun 
9. Unknown 
10. Restricted 
11. Semi-Automatic 
12. Black 
13. Short 
14. NO - None 
15. Concealed weapon 
Video 16 
1. 2018-JUL-05 
2. Active Threat Safety: Run, Hide, Take Action 
3. Simon Fraser University (Educ) 
4. https://www.youtube.com/watch?v=vQnDdlscwXA&t=156s 
5. 12046 
6. 7:14 
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7. 2015-NOV-2 
8. None depicted 
9. N/A 
10. N/A 
11. N/A 
12. N/A 
13. N/A 
14. N/A 
15. N/A 
Video 17 
1. 2018-JUL-05 
2. ALICE. 
3. Northern Illinois University (Educ) 
4. https://www.youtube.com/watch?v=1rV8VNUoxjo 
5. 8483 
6. 2:54 
7. 2016-FEB-18 
8. Toy/Prop 
9. Unknown 
10. N/A 
11. N/A 
12. Blue & Yellow 
13. N/A 
14. N/A 
15. N/A 
Video 18 
1. 2018-JUL-05 
2. ALICE 
3. Shakopee Public Schools (Educ) 
4. https://www.youtube.com/watch?v=9T_n1CatFgs 
5. 91930 
6. 6:20 
7. 2017-FEB-1 
8. Handgun 
9. Glock 34 
10. Restricted 
11. Semi-Automatic 
12. Black & Grey 
13. Short 
14. NO - None 
15. Concealed weapon 
Video 19 
1. 2018-JUL-05 
2. TUPD - Active Shooter Training 
3. Towson University (Educ) 
4. https://www.youtube.com/watch?v=XzE7NgHrwP0 
5. 2641 
6. 3:28 
7. 2016-SEP-12 
8. None depicted 
9. N/A 
10. N/A 
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11. N/A 
12. N/A 
13. N/A 
14. N/A 
15. N/A 


Video 20 

2018-JUL-05 

ISP Unarmed Response to an Active Shooter Event 
Indiana State Police (LE) 

https: //www.youtube.com/watch?v=zeoZmsxpc6k&feature=youtu.be 
1017129 

8:25 

2016-JAN-26 

Shotgun; Handgun 

9. Mossberg 88 Maverick; Smith & Wesson SD9VE 
10. Non-Restricted; Restricted 

11. Pump-Action 

12. Silver & Black/ Silver & Black 

13. Long; Short 

14. NO- None / NO - None 

15. Civilian; Concealed weapon 


WANA PWN 


Video 21 
1. 2018-JUL-06 
2. CSUMB Active Shooter Training Video 
3. California State University Montery Bay (Educ) 
4. https://www.youtube.com/watch?v=0ONGBTdnRdQw@index=4&t=40s&list=LLhv_ 84bSI- 
sijBvmJqUk]tw 


5. 163339 

6. 5:58 

7. 2016-FEB-29 
8. Handgun 


9. Taurus 738 TCP 
10. Prohibited 

11. Semi-Automatic 
12. Black & Silver 

13. Short 

14. NO - None 

15. Concealed weapon 


Video 22 

1. 2018-JUL-06 

2. Active Shooter Scenario 
3. Georbd College (Educ) 
4. h be. 


sijBymjqUkjtw 
59046 


5 
6. 8:42 

7. 2015-DEC-16 

8. AR-15 Style Rifle 
9. Armalite AR-15 
10. Prohibited 

11. Semi-Automatic 
12. Black 
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13. Medium 
14. YES - Holo sight, foregrip, flashlight 
15. Tactical; Assaault weapon 


Video 23 
1. 2018-JUL-06 
2. DeSAT SAFER Active Shooter Training Video 
3. DeSAT (PrivOrg) 
4. https://www.youtube.com/watch?v=3yo0q809SU0&index=7&t=84s&list=LLhv 84bS]I- 
sijBymJqUkJtw 
5. 24812 
6. 4:24 
7. 2016-AUG-24 
8. Handgun 
9. Glock 34 
10. Restricted 
11. Semi-Automatic 
12. Black 
13. Short 
14. NO - None 
15. Concealed weapon 


Video 24 
2018-JUL-06 
Practical Response to Active Shooter 
Rock Valley College (Educ) 
https: //www.youtube.com/watch?v=ppIrzuYIlvDk&index=8&t=41s&list=LLhv_84bSl-sijBvmJgUk|tw 
114945 
3:35 
2014-JUL-03 
Handgun 
Sig Sauer P226; Restricted 
. Semi-Automatic 
. Black 
12. Short 
13. NO - None 
14. Concealed weapon 


00. Oy OP ee OO IN 


Pro 
rR oO* 
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